RE: [Snort-sigs] new Q signature

["Hall, Andrew (DPRS)" <AndrewR.hall () aph gov au>]

Jon,

If you are seeing something the TTL decement all the way to 1 then you
probably have a routing loop.  Ie are the destinations actually used in
your address space?  If not, what can happen is that your border router
will route the address into your network, while your next device inside
the border router will route it back by its default route.

Just something to check.

Andrew

-----Original Message-----
From: Jon [mailto:warchild () spoofed org] 
Sent: Tuesday, 11 February 2003 6:53 AM
To: snort-sigs () lists sourceforge net
Cc: focus-ids () securityfocus com
Subject: [Snort-sigs] new Q signature


Greetings,

For a month or more now, I've been getting alerts from Snort's
spp_stream4 
about the TTL expiring.  Whats interesting is that all of these packets
were nearly identical:

IP ID of 0
ACK + RST flags set
generally to port 80
TCP sequence number set
TCP payload 'cko'
Window size of 0

The 'cko' stuff smells of Q, but I couldn't find any *definite* proof
that it was.  Many people have reported this on various lists, but I
have yet to see answers.  Also, many of these people were seeing it
coming from a broadcast address, whereas I'm seeing it from addresses
worldwide.

In an effort to get to the bottow of this, I wrote a signature that uses
tag:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor
traffic (Tag)"; content:"cko"; depth:3; dsize:3;
tag:host,100,packets,src;)

I'm now catching a dozen or so machines per hour, but not all of them
are tripping the tag.  This means that the sensor never sees any other
traffic from the source.  A handful of machines do some innocent web
browsing of machines on the networks I watch, and then terminate the
connetion. Seconds later, the 'cko' packet shows up from that host.
Other times, a host on my network browses a remote site, and eventually
terminates the connection.  Seconds later, the 'cko' packet shows up on
my doorstep from the remote site.

I'm curious if anyone else has experienced this and/or knows what is
causing it.

If you don't want to tag, use this:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor
traffic";  content:"cko"; depth:3; dsize:3;)

Any information would be greatly appreciated.

thanks,

-jon


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs