[Snort-users] ID'ing loopback spoof

Blake.Fithen at ...10844... Blake.Fithen at ...10844...
Tue Dec 30 07:54:22 EST 2003


Hello, 

Trying to ID activity/scans which have the following 
characteristics:

- Source Address: 127.0.0.1 (spoofed)
- Source Port: 80
- Protocol: TCP
- Destination Address: scanning entire internal /16 private
supernet
- Destination Port: randomized between 1000..2000
- Average packet size: 64.0000 bytes
- Flags set: RST, ACK
- Payload: varies except for several fixed characters: E A P p (
- Periodicity: random/varies.  continues for 1 - 3 hours
  then stops for ~6..~24 hours.
- Frame Size: static 60 bytes
- Window Size, a consistent 55808 regardless of source address

Gut feeling is that this activity throttles M$ HTTP/DNS/? 
services/daemons which require a restart/reboot of the service
or server. IOW - a reboot is pretty much guaranteed to fix it 
fix a few hours.

Any help would be sincerely appreciated.

Happy Holidays!!!

--
blake




More information about the Snort-users mailing list