No subject


Thu Nov 23 16:36:19 EST 2017


  config response: device eth1 attempts 10
  preprocessor stream5_global: max_tcp 8192, memcap 104857600, track_tcp ye=
s, \
                              track_udp no, max_active_responses 10, \
                              min_response_seconds 1

Our rule is like so:=20

  alert tcp $HOME_NET any -> [XX.XX.XX.0/24] $HTTP_PORTS=20
  (msg:"UFOISC reset test"; classtype:trojan-activity; sid:9000092;=20
  resp:reset_XXXX; )

I've tried 'reset_both' and 'reset_dest' .=20

Preliminary tests were not seeing the resets reach the test machine that
was tripping the rule. Sniffing on the reset interface, I found that the=20
reset attempts were going out, but the TTL is 0 (see attached).=20

I've tried compiling with and without --enable-ipv6 but the result is
the same.=20

Has anyone else seen this behavior? I've likely missed a step somewhere.=20

I'll be glad to supply more info if needed.=20

--=20
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida

--MP_/ywVdEzdzVYmN.jVUS.QaU0i
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=rst.txt

13:54:36.117190 IP (tos 0x0, id 2980, offset 0, flags [none], proto TCP (6), length 40)
    XX.XX.XX.XX.56202 > YY.YY.YY.YY.80: Flags [R], cksum 0xfeb5 (correct), seq 3757093111, win 0, length 0
13:54:36.117195 IP (tos 0x0, id 32375, offset 0, flags [none], proto TCP (6), length 40)
    XX.XX.XX.XX.56202 > YY.YY.YY.YY.80: Flags [R], cksum 0xfeb5 (correct), seq 3757093111, win 0, length 0
13:54:36.117201 IP (tos 0x0, id 53133, offset 0, flags [none], proto TCP (6), length 40)
    XX.XX.XX.XX.56202 > YY.YY.YY.YY.80: Flags [R], cksum 0xfeb5 (correct), seq 3757093111, win 0, length 0
13:54:36.117206 IP (tos 0x0, id 6393, offset 0, flags [none], proto TCP (6), length 40)
    XX.XX.XX.XX.56202 > YY.YY.YY.YY.80: Flags [R], cksum 0xfe98 (correct), seq 3757093140, win 0, length 0
13:54:36.117213 IP (tos 0x0, id 9770, offset 0, flags [none], proto TCP (6), length 40)
    XX.XX.XX.XX.56202 > YY.YY.YY.YY.80: Flags [R], cksum 0xfe7b (correct), seq 3757093169, win 0, length 0
13:54:36.117218 IP (tos 0x0, id 4344, offset 0, flags [none], proto TCP (6), length 40)
    XX.XX.XX.XX.56202 > YY.YY.YY.YY.80: Flags [R], cksum 0xfe5e (correct), seq 3757093198, win 0, length 0
13:54:36.117234 IP (tos 0x0, id 19504, offset 0, flags [none], proto TCP (6), length 40)
    XX.XX.XX.XX.56202 > YY.YY.YY.YY.80: Flags [R], cksum 0xfe41 (correct), seq 3757093227, win 0, length 0
13:54:36.117239 IP (tos 0x0, id 60432, offset 0, flags [none], proto TCP (6), length 40)
    XX.XX.XX.XX.56202 > YY.YY.YY.YY.80: Flags [R], cksum 0xfe24 (correct), seq 3757093256, win 0, length 0


--MP_/ywVdEzdzVYmN.jVUS.QaU0i--




More information about the Snort-users mailing list