[Snort-users] DOS rules for Nimda

Richard Ellerbrock richarde at ...6992...
Thu Sep 26 08:19:03 EDT 2002


Ah, I think you understand what I am after, probably because you wrote
the book on this kinda stuff - thanks for a great tool!

No, SEQ number not the same. Only thing that is constant is that for
each SYN to a destination there are EXACTLY two of the EXACT same
packets (Flags, SEQ, Source Port and WIN). So here is an example trace:

10.201.151.40 -> 10.201.18.154 D=80 S=4147 SYN SEQ=2132994334 LEN=0
WIN=16384
10.201.151.40 -> 10.201.18.154 D=80 S=4147 SYN SEQ=2132994334 LEN=0
WIN=16384
10.201.151.40 -> 10.201.84.107 D=80 S=4148 SYN SEQ=2147466592 LEN=0
WIN=16384
10.201.151.40 -> 10.201.84.107 D=80 S=4148 SYN SEQ=2147466592 LEN=0
WIN=16384
10.201.151.40 -> 10.201.58.47 D=80 S=4149 SYN SEQ=2147500852 LEN=0
WIN=16384
10.201.151.40 -> 10.201.58.47 D=80 S=4149 SYN SEQ=2147500852 LEN=0
WIN=16384
.
.
.

(copied from sniffer trace, these packets are 0.002 seconds apart!)

For some hosts the WIN size is 8192, but I think this depends on the MS
version and nothing else.

What snort really needs to be able to do is detect a constant source
address with a rapidly changing destination address doing a port scan,
something along the lines of a TCP verion of a ICMP smurf detector.

I will also check out 1.9 for the threshold option.

Richard
http://iptrack.sourceforge.net 


>>> Martin Roesch <roesch at ...1935...> 2002/09/26 04:27:38 >>>
Is the seq number constant for every connection?  If so you could do a
simple detection rule looking for the seq + window with the SYN flag
set.
If you use version 1.9 you can even use the new threshold keyword to
only
get one event notification for every X alerts....

    -Marty


On 9/26/02 7:11 AM, "Richard Ellerbrock" <richarde at ...6992...> wrote:

> I am trying to help a very large site that is being killed by denial
of
> service due to a large number of MS type workstations infected by
Nimda.
> The standard snort rules are no good as no connection is actually
made,
> just a HUGE SYN flood looking for open Web servers to infect.
Traffic
> looks like this:
> 
> Each host sends 2x SYN packets exactly the same (same source port,
SEQ
> and WIN size) to a remote host on port 80. Obviously never gets a
reply.
> Within a couple of milliseconds, tries another randon destination.
> 
> Now my understanding of snort points to the stream4 processor to
catch
> this stuff, but how to configure. The docs are a little unclear to
this
> snort newbie. I do get TTL evasion on stream4, but this does not
> indicate much.
> 
> Any help with rules/setup for this would be great.
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> 
> 

-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console
appliances
roesch at ...1935... - http://www.sourcefire.com 
Snort: Open Source Network IDS - http://www.snort.org 





More information about the Snort-users mailing list