[Snort-users] (no subject)
snrt at ...9551...
Tue Jun 24 12:34:07 EDT 2003
Hello, im using snort 2.x on RedHat 9 and added the signature from the
snort-sig list posted by Brian Coyle for the 55808 trojan traffic.
I saw a hit from a single address over a few seconds late at night and I
am wondering if I did something wrong with the rule.
The rule posted (sorry cut n pasted so its goofy looking)
alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size
flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2;
Snort tagged it and Acid shows it. The wierd thing is that I have 78 hits
from the same IP address going to port 443 (my webserver port acting as
port 80 since my isp blocks port 80 ... bah).
So i figured maybe the post on my website is triggering the rule. I
compared the access log hits and those were alot less than the Sensor
hits that and theres been plenty of views on this page from elsewhere
without the sensor being alerted. Still not convinced i checked the acid
N seq # ack offset res window urp chksum
1206 443 X 3238984777 0 8 0 55808 0 34723
The window shows port 55808.
So looking at the access log file I noticed that the client being used was
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
So can anyone explain what the deal is. It would seem that a Windows NT
system sent packets of windows size 55808 to my webserver port while
access the website at the same time.
Or is the signature causing the alert and if so then why doesnt it alert
for anyone visiting the page with the data about this new trojan?
More information about the Snort-users