[Snort-users] Please, point to the source where i can read about some signatures
Anton A. Chuvakin
anton at ...5376...
Fri Sep 6 06:37:06 EDT 2002
Sergei and all,
>What does this message mean:
DDoS tool shaft client (i.e. a controll program) is probably talking to
one of the control modules of shaft denial-of-service network. The
handlers than can send commands to DoS bots to initiate an attack.
>[**] DDOS shaft client to handler [**]
>09/05-17:16:14.598799 18.104.22.168:80 -> 22.214.171.124:20432
I suspect it is a FALSE POSITIVE. Check the signature in your
/etc/snort.conf and confirm that they only track shaft by port number and
not by packet content. Then the sig will trigger on RESPONSE to a web
request done from high-numbered port to port 80.
>TCP TTL:64 TOS:0x0 ID:18426 IpLen:20 DgmLen:48 DF
>***A**S* Seq: 0x82327B22 Ack: 0xBC9B5FF7 Win: 0x60F4 TcpLen: 28
>TCP Options (4) => NOP NOP SackOK MSS: 1460
>Where can i read something about these signatures. Thanks a lot.
Hmm, if not on snort.org/snortdb, than nowhere.
Anton A. Chuvakin, Ph.D., GCIA
More information about the Snort-users