[Snort-users] RE: 55808 window size [WAS: (no subject)]

Coyle, Brian Brian.Coyle at ...8396...
Tue Jun 24 14:13:02 EDT 2003

snrt <snrt at ...9551...> wrote:

[major snipage]
> Hello, im using snort 2.x on RedHat 9 and added the signature from the 
> snort-sig list posted by Brian Coyle for the 55808 trojan traffic.

> I saw a hit from a single address over a few seconds late at night and I 
> am wondering if I did something wrong with the rule.

> Snort tagged it and Acid shows it. The wierd thing is that I have 78 hits 
> from the same IP address going to port 443 (my webserver port acting as 
> port 80 since my isp blocks port 80 ... bah). 

> So can anyone explain what the deal is. 

As of this morning, I've now seen a couple of false positives from this rule.
Occasionally, a source with legit traffic[1] will start with a window size of 
55808.  Snort triggers on the 55808/SYN packet, but subsequent packets have 
a reduced window size.  The IP Seq. numbers will also vary as expected for 
regular traffic.


                                    -- Brian, GCIA

[1] I've seen mostly spammers targeting a mailserver, so 'legit' is loosely
defined.  ;)

More information about the Snort-users mailing list