[Snort-users] Please, point to the source where i can read about some signatures

Anton A. Chuvakin anton at ...5376...
Fri Sep 6 06:37:06 EDT 2002


Sergei and all,

>What does this message mean:
DDoS tool shaft client (i.e. a controll program) is probably talking to
one of the control modules of shaft denial-of-service network. The
handlers than can send commands to DoS bots to initiate an attack.

>[**] DDOS shaft client to handler [**]
>09/05-17:16:14.598799 213.152.133.10:80 -> 217.196.100.63:20432
I suspect it is a FALSE POSITIVE. Check the signature in your
/etc/snort.conf and confirm that they only track shaft by port number and
not by packet content. Then the sig will trigger on RESPONSE to a web
request done from high-numbered port to port 80.

>TCP TTL:64 TOS:0x0 ID:18426 IpLen:20 DgmLen:48 DF
>***A**S* Seq: 0x82327B22  Ack: 0xBC9B5FF7  Win: 0x60F4  TcpLen: 28
>TCP Options (4) => NOP NOP SackOK MSS: 1460

>Where can i read something about these signatures. Thanks a lot.
Hmm, if not on snort.org/snortdb, than nowhere.

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org






More information about the Snort-users mailing list