Snort mailing list archives
Re: mstream and shaft
From: "Stephane Nasdrovisky" <stephane.nasdrovisky () uniway be>
Date: Wed, 30 Jan 2002 16:59:26 +0100
As far as shaft and I are concerned, these are probably false positive. Each time I have checked the packet dumps and the corresponding firewall log, I concluded it was a false positive. The port 20432 was the port assigned by the firewall in the address translation process, not the real port used by any server or client. Removing the masquerading (hide nat in checkpoint terminology) address from the $INTERNAL object or enforcing this rule only on the internal network would reduce the false positive rate. The rule looks like alert TCP $EXTERNAL any -> $INTERNAL 20432 (flags: A+;) Using alert TCP $EXTERNAL any -> $MY_SERVERS_ROUTABLE_ADDRESSES 20432 (flags: A+;) could help. mike maxwell wrote:
i am using snort as an ids for my network .....i am seeing alerts about mstream and shaft traffic to several of my customers pcs. i know that these pcs are not running unix. is there a port of this trojan for windows out there in the wild or are these false alarms.... alert.1:01/29-15:27:03.962255 [**] [1:230:1] DDOS shaft client to handler [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} *.*.*.*:80 -> *.*.*.*:20432 alert.1:01/29-22:19:03.262255 [**] [1:248:1] DDOS mstream handler to client [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} *.*.*.*:12754 -> *.*.*.*:20 -- Mike Maxwell System Manager--GMA mmaxwell () gmavt net ****************************************************
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- mstream and shaft mike maxwell (Jan 30)
- Re: mstream and shaft Stephane Nasdrovisky (Jan 30)