IDS mailing list archives
RE: [Snort-sigs] new Q signature
From: "Hall, Andrew (DPRS)" <AndrewR.hall () aph gov au>
Date: Tue, 11 Feb 2003 08:17:14 +1100
Jon, If you are seeing something the TTL decement all the way to 1 then you probably have a routing loop. Ie are the destinations actually used in your address space? If not, what can happen is that your border router will route the address into your network, while your next device inside the border router will route it back by its default route. Just something to check. Andrew -----Original Message----- From: Jon [mailto:warchild () spoofed org] Sent: Tuesday, 11 February 2003 6:53 AM To: snort-sigs () lists sourceforge net Cc: focus-ids () securityfocus com Subject: [Snort-sigs] new Q signature Greetings, For a month or more now, I've been getting alerts from Snort's spp_stream4 about the TTL expiring. Whats interesting is that all of these packets were nearly identical: IP ID of 0 ACK + RST flags set generally to port 80 TCP sequence number set TCP payload 'cko' Window size of 0 The 'cko' stuff smells of Q, but I couldn't find any *definite* proof that it was. Many people have reported this on various lists, but I have yet to see answers. Also, many of these people were seeing it coming from a broadcast address, whereas I'm seeing it from addresses worldwide. In an effort to get to the bottow of this, I wrote a signature that uses tag: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor traffic (Tag)"; content:"cko"; depth:3; dsize:3; tag:host,100,packets,src;) I'm now catching a dozen or so machines per hour, but not all of them are tripping the tag. This means that the sensor never sees any other traffic from the source. A handful of machines do some innocent web browsing of machines on the networks I watch, and then terminate the connetion. Seconds later, the 'cko' packet shows up from that host. Other times, a host on my network browses a remote site, and eventually terminates the connection. Seconds later, the 'cko' packet shows up on my doorstep from the remote site. I'm curious if anyone else has experienced this and/or knows what is causing it. If you don't want to tag, use this: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor traffic"; content:"cko"; depth:3; dsize:3;) Any information would be greatly appreciated. thanks, -jon ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- RE: [Snort-sigs] new Q signature Hall, Andrew (DPRS) (Feb 10)
- Re: [Snort-sigs] new Q signature Jon (Feb 10)
- Re: [Snort-sigs] new Q signature Jason (Feb 10)
- Re: [Snort-sigs] new Q signature Jon (Feb 10)
- Re: [Snort-sigs] new Q signature Jason (Feb 10)
- Re: [Snort-sigs] new Q signature Jon (Feb 10)