[Snort-users] Please, point to the source where i can read about some signatures

Ian Macdonald secsnort at ...5528...
Fri Sep 6 06:22:02 EDT 2002


here are some references

references
http://security.royans.net/info/posts/bugtraq_ddos3.shtml
http://biocserver.bioc.cwru.edu/~jose/shaft_analysis/node-analysis.txt
http://www.usenix.org/events/lisa2000/full_papers/dietrich/dietrich_html/

I was working on updating the signatures, but didn't find any packet dumps
to validate the signatures against

Ian
----- Original Message -----
From: "Sergei Balyakin" <sergei at ...6719...>
To: "snort-users-request at lists.sourceforge.net"
<snort-users at lists.sourceforge.net>
Sent: Friday, September 06, 2002 4:33 AM
Subject: [Snort-users] Please, point to the source where i can read about
some signatures


> Hi, all!
>
> What does this message mean:
>
> [**] DDOS shaft client to handler [**]
> 09/05-17:16:14.598799 213.152.133.10:80 -> 217.196.100.63:20432
> TCP TTL:64 TOS:0x0 ID:18426 IpLen:20 DgmLen:48 DF
> ***A**S* Seq: 0x82327B22  Ack: 0xBC9B5FF7  Win: 0x60F4  TcpLen: 28
> TCP Options (4) => NOP NOP SackOK MSS: 1460
>
> Where can i read something about these signatures. Thanks a lot.
>
>
>
> --
> Best regards,
>  Sergei                            mailto:sergei at ...6719...
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list