[Snort-users] Land Attack
athomas at ...5484...
Tue Dec 31 09:08:07 EST 2002
I see 2 rules -
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack";
id:3868; seq: 3868;
flags:S; reference:cve,CVE-1999-0016; classtype:attempted-dos; sid:269;
alert ip any any -> any any (msg:"BAD TRAFFIC same SRC/DST"; sameip;
classtype:bad-unknown; sid:527; rev:3;)
I was referring to the second one. Is it not Land Attack ?
The reference, CVE-1999-0016, is the same for both and classifies it as
So I was wondering if the packet has SRC and DST IP same, it is LAND
it has to be a SYN packet with same SRC/DST ports also.
thanks a lot
Phil Wood wrote:
>The rule in snort looks for a SYN packet with IP ident == tcp sequence (0xF1C)
>which is based on the source for land.c. You would have to peruse the hacker
>source sites for that.
>There is no primitive to look for source port equal to destination port.
>You could write one. %^)
>On Tue, Dec 31, 2002 at 02:31:51AM -0500, Ashley Thomas wrote:
>>What is the signature for a Land attack ?
>>All the documentation i could get hold mentioned 'Land Attack' to be a
>>TCP Syn packet with same Src IP/port and Dest IP/port.
>>Then how do we classify the DoS attack packet which has same Src IP and
>>( lets say it is not a TCP/UDP packet -> so port is not considered )
>>Snort signature for Land also has considered only the IP address and not
>>College of Computing
>>This sf.net email is sponsored by:ThinkGeek
>>Welcome to geek heaven.
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>Snort-users list archive:
College of Computing
More information about the Snort-users