Snort mailing list archives
Re: RE: 55808 window size [WAS: (no subject)]
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 24 Jun 2003 18:21:55 -0500
On Tue, 2003-06-24 at 16:11, Coyle, Brian wrote:
As of this morning, I've now seen a couple of false positives from this rule. Occasionally, a source with legit traffic[1] will start with a window size of 55808. Snort triggers on the 55808/SYN packet, but subsequent packets have a reduced window size. The IP Seq. numbers will also vary as expected for regular traffic.
Other normal traffic has odd Window sizes as well (58400, 63999, 65217, 56940, 17207, 58204, 24616, etc). Why everyone is chasing 55808 is beyond me. Yeah, it was/is the common thing with some of these scans, but everyone is using that Window size _by_itself_ as some kind of identifier (i.e. Snort rule). That's absurd. .... Oh well, don't get me started on some of these so-called "security researchers" (or market-droids).... sometimes I wonder if they not "find" exploits in their own marketing department... Joe Stewart said in an Incidents post "Probably someone's idea of a joke on the infosec community." That "trojan" may not have been a joke, but the way some people made use of the situation surely is a joke. "Move on, nothing to see here." comes to mind... Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: 55808 window size [WAS: (no subject)] Coyle, Brian (Jun 24)
- Re: RE: 55808 window size [WAS: (no subject)] Frank Knobbe (Jun 24)