Snort mailing list archives
(no subject)
From: snrt <snrt () packetstorm org>
Date: Tue, 24 Jun 2003 14:30:02 -0500 (CDT)
Hello, im using snort 2.x on RedHat 9 and added the signature from the snort-sig list posted by Brian Coyle for the 55808 trojan traffic. I saw a hit from a single address over a few seconds late at night and I am wondering if I did something wrong with the rule. The rule posted (sorry cut n pasted so its goofy looking) alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00"; flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2; reference:url,cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00146.html; reference:url,www.gcn.com/vol1_no1/daily-updates/22371-1.html; reference:url,www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0;) Snort tagged it and Acid shows it. The wierd thing is that I have 78 hits from the same IP address going to port 443 (my webserver port acting as port 80 since my isp blocks port 80 ... bah). So i figured maybe the post on my website is triggering the rule. I compared the access log hits and those were alot less than the Sensor hits that and theres been plenty of views on this page from elsewhere without the sensor being alerted. Still not convinced i checked the acid TCP information source port dest port R 1 R 0 U R G A C K P S H R S T S Y N F I N seq # ack offset res window urp chksum 1206 443 X 3238984777 0 8 0 55808 0 34723 The window shows port 55808. So looking at the access log file I noticed that the client being used was id'd as: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)" So can anyone explain what the deal is. It would seem that a Windows NT system sent packets of windows size 55808 to my webserver port while access the website at the same time. Or is the signature causing the alert and if so then why doesnt it alert for anyone visiting the page with the data about this new trojan? thanks! Greg ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject), (continued)
- (no subject) Cory D. (Apr 09)
- (no subject) KD Rajkumar (Apr 13)
- RE: (no subject) Ryan Finnesey (Apr 13)
- (no subject) John Sage (Apr 14)
- (no subject) Robin Johnson (May 29)
- Re: (no subject) Erick Mechler (May 29)
- Re: (no subject) Patrick S. Harper (May 29)
- RE: (no subject) Robin Johnson (May 30)
- RE: (no subject) Robin Johnson (May 30)
- RE: (no subject) Brian Gregorcy (May 30)
- (no subject) snrt (Jun 24)
- Re: (no subject) James Nonya (Jun 24)
- (no subject) Juergen Anthamatten (Jun 25)