[Snort-users] Window Size
cpw at ...440...
Thu Jun 19 15:06:13 EDT 2003
Seeing as how you are a Wood:
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg: "W32.Randex.C"; flags:S,12; window:55808; classtype: trojan-activity; sid:40666; rev: 1; )
log tcp $EXTERNAL_NET any -> $HOME_NET any ( msg: "W32.Randex.C"; flags:S,12; window:55808; classtype: trojan-activity; sid:40666; rev: 1;)
The above finds any of your internal systems that have decided to join
the fray. It alerts immediately if Your net hosts are sending them. Other
wise it will log. (I log using -b) to a pcap file so I have all the
nitty gritty in a format I know and love.
Also, my alert is a "redalert" that will page me! So far so good, and I
do get other pages via snort so I know by pager is working. And,
finally, I got 184,007 of these yesterday (midnite to midnite).
Good luck Mr. Wood,
On Thu, Jun 19, 2003 at 04:36:22PM -0400, Andy Wood wrote:
> Can rules be written to detect a certain WINDOW size (See below
> kernel msg(not sure if WINDOW=dsize))
> Jun 17 06:59:57 darkgate kernel: TCP DROP: IN=br0 OUT=br0 PHYSIN=eth0
> PHYSOUT=eth1 SRC=18.104.22.168 DST=22.214.171.124 LEN=52 TOS=0x00 PREC=0x00
> TTL=99 ID=57300 PROTO=TCP SPT=56102 DPT=55533 WINDOW=55808 RES=0x00 SYN
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Phil Wood, cpw at ...440...
More information about the Snort-users