[Snort-users] RE: 55808 window size [WAS: (no subject)]
Brian.Coyle at ...8396...
Tue Jun 24 14:13:02 EDT 2003
snrt <snrt at ...9551...> wrote:
> Hello, im using snort 2.x on RedHat 9 and added the signature from the
> snort-sig list posted by Brian Coyle for the 55808 trojan traffic.
> I saw a hit from a single address over a few seconds late at night and I
> am wondering if I did something wrong with the rule.
> Snort tagged it and Acid shows it. The wierd thing is that I have 78 hits
> from the same IP address going to port 443 (my webserver port acting as
> port 80 since my isp blocks port 80 ... bah).
> So can anyone explain what the deal is.
As of this morning, I've now seen a couple of false positives from this rule.
Occasionally, a source with legit traffic will start with a window size of
55808. Snort triggers on the 55808/SYN packet, but subsequent packets have
a reduced window size. The IP Seq. numbers will also vary as expected for
-- Brian, GCIA
 I've seen mostly spammers targeting a mailserver, so 'legit' is loosely
More information about the Snort-users