Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Window Size

From: Phil Wood <cpw () lanl gov>
Date: Thu, 19 Jun 2003 16:05:18 -0600
Seeing as how you are a Wood:

alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg: "W32.Randex.C"; flags:S,12; window:55808; classtype: 
trojan-activity; sid:40666; rev: 1; )
log tcp $EXTERNAL_NET any -> $HOME_NET any ( msg: "W32.Randex.C"; flags:S,12; window:55808; classtype: trojan-activity; 
sid:40666; rev: 1;)

The above finds any of your internal systems that have decided to join
the fray.  It alerts immediately if Your net hosts are sending them.  Other
wise it will log. (I log using -b) to a pcap file so I have all the
nitty gritty in a format I know and love.

Also, my alert is a "redalert" that will page me!  So far so good, and I
do get other pages via snort so I know by pager is working.  And,
finally, I got 184,007 of these yesterday (midnite to midnite).

Good luck Mr. Wood,

Phil

On Thu, Jun 19, 2003 at 04:36:22PM -0400, Andy Wood wrote:

      Can rules be written to detect a certain WINDOW size (See below
kernel msg(not sure if WINDOW=dsize))

Jun 17 06:59:57 darkgate kernel: TCP DROP: IN=br0 OUT=br0 PHYSIN=eth0
PHYSOUT=eth1 SRC=54.209.165.71 DST=216.216.216.216 LEN=52 TOS=0x00 PREC=0x00
TTL=99 ID=57300 PROTO=TCP SPT=56102 DPT=55533 WINDOW=55808 RES=0x00 SYN
URGP=0

      Thanks, 
      Andy


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: