[Snort-users] Re: mstream and shaft

Stephane Nasdrovisky stephane.nasdrovisky at ...4735...
Wed Jan 30 08:01:08 EST 2002

As far as shaft and I are concerned, these are probably false positive.

Each time I have checked the packet dumps and the corresponding firewall
log, I concluded it was a false positive. The port 20432 was the port
assigned by the firewall in the address translation process, not the real
port used by any server or client.

Removing the masquerading (hide nat in checkpoint terminology) address from
the $INTERNAL object or enforcing this rule only on the internal network
would reduce the false positive rate.

The rule looks like
alert TCP $EXTERNAL any -> $INTERNAL 20432 (flags: A+;)

alert TCP $EXTERNAL any -> $MY_SERVERS_ROUTABLE_ADDRESSES 20432 (flags: A+;)

could help.

mike maxwell wrote:

> i am using snort as an ids for my network .....i am seeing alerts about
> mstream and shaft traffic to several of my customers pcs. i know that
> these pcs are not running unix. is there a port of this trojan for
> windows out there in the wild or are these false alarms....
> alert.1:01/29-15:27:03.962255  [**] [1:230:1] DDOS shaft client to
> handler [**] [Classification: Attempted Denial of Service] [Priority: 2]
> {TCP} *.*.*.*:80 -> *.*.*.*:20432
> alert.1:01/29-22:19:03.262255  [**] [1:248:1] DDOS mstream handler to
> client [**] [Classification: Attempted Denial of Service] [Priority: 2]
> {TCP} *.*.*.*:12754 -> *.*.*.*:20
> --
> Mike Maxwell
> System Manager--GMA
> mmaxwell at ...4734...
> ****************************************************

More information about the Snort-users mailing list