[Snort-users] Snort and matching window size?

James Lay slave_tothe_box at ...131...
Mon Jun 30 06:22:10 EDT 2003


Hey all!

Quick question...been trying to match a window size.  Here's the packet:

06/26-08:16:17.848110 80.253.125.31:1862 -> 24.116.*.*:6588
TCP TTL:50 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
******S* Seq: 0x1D6E  Ack: 0x0  Win: 0x498D  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/26-08:43:14.784973 217.21.119.4:1025 -> 24.116.*.*:6588
TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
******S* Seq: 0x1D6E  Ack: 0x0  Win: 0x498D  TcpLen: 20

These are just 2 of them, but the window size for this scan seems to be the same.  This port is always part of a 3 part scan that has port 3128, 6588, and 8080.

Apr  8 08:49:20 homebox kernel: IN=eth0 OUT= MAC=00:60:08:16:39:30:00:08:20:cb:04
:a8:08:00 SRC=170.208.15.82 DST=24.116.*.* LEN=40 TOS=0x10 PREC=0x00 TTL=241 
ID=61187 PROTO=TCP SPT=21438 DPT=6588 WINDOW=16384 RES=0x00 SYN URGP=0 

Apr  8 08:49:20 homebox kernel: IN=eth0 OUT= MAC=00:60:08:16:39:30:00:08:20:cb:04
:a8:08:00 SRC=170.208.15.82 DST=24.116.*.* LEN=40 TOS=0x10 PREC=0x00 TTL=241 
ID=57956 PROTO=TCP SPT=48159 DPT=3128 WINDOW=16384 RES=0x00 SYN URGP=0 

Apr  8 08:49:20 homebox kernel: IN=eth0 OUT= MAC=00:60:08:16:39:30:00:08:20:cb:04
:a8:08:00 SRC=170.208.15.82 DST=24.116.*.* LEN=40 TOS=0x10 PREC=0x00 TTL=241 
ID=10814 PROTO=TCP SPT=47980 DPT=8080 WINDOW=16384 RES=0x00 SYN URGP=0

I know that 3128 is Squid and that 8080 is SOCKS, and after doing some research (http://isc.incidents.org/port_details.html?port=6588&repax=1&tarax=2&srcax=2&percent=N&days=40&Redraw=) this is an AnalogX proxy scan.  I'm using:

alert tcp $EXTERNAL_NET any -> $HOME_NET 6588 (msg:"AnalogX Proxy Server Scan"; flags:S;)

as my rule, but I'd like to know if there's a way to match the window size.  I tried matchine it with a content matching keyword, but that didn't work.  Does the content keyword match just the data portion of the packet?  Or does it content match against headers as well?  Thanks all!

James




More information about the Snort-users mailing list