[Snort-users] (no subject)

snrt snrt at ...9551...
Tue Jun 24 12:34:07 EDT 2003


Hello, im using snort 2.x on RedHat 9 and added the signature from the 
snort-sig list posted by Brian Coyle for the 55808 trojan traffic.

I saw a hit from a single address over a few seconds late at night and I 
am wondering if I did something wrong with the rule.

The rule posted (sorry cut n pasted so its goofy looking)

alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 
0xDA00"; 
  flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2; 
reference:url,cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00146.html; 
  reference:url,www.gcn.com/vol1_no1/daily-updates/22371-1.html;
reference:url,www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0;)


Snort tagged it and Acid shows it. The wierd thing is that I have 78 hits 
from the same IP address going to port 443 (my webserver port acting as 
port 80 since my isp blocks port 80 ... bah). 

So i figured maybe the post on my website is triggering the rule. I 
compared the access log hits and those were alot less than the Sensor 
hits that and theres been plenty of views on this page from elsewhere 
without the sensor being alerted. Still not convinced i checked the acid 
TCP information

source
port dest
  port   R
1 R
0 U
R
G A
C
K P
S
H R
S
T S
Y
N F
I
N seq # ack offset res window urp chksum 
1206 443       X   3238984777 0 8 0 55808 0 34723 


The window shows port 55808. 

So looking at the access log file I noticed that the client being used was 
id'd as:

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"


So can anyone explain what the deal is. It would seem that a Windows NT 
system sent packets of windows size 55808 to my webserver port while 
access the website at the same time.

Or is the signature causing the alert and if so then why doesnt it alert 
for anyone visiting the page with the data about this new trojan?


thanks!

Greg





More information about the Snort-users mailing list