Snort mailing list archives
Re: Land Attack
From: Ashley Thomas <athomas () cc gatech edu>
Date: Tue, 31 Dec 2002 12:05:52 -0500
I see 2 rules - dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; id:3868; seq: 3868; flags:S; reference:cve,CVE-1999-0016; classtype:attempted-dos; sid:269; rev:2;)
bad-traffic.rules: alert ip any any -> any any (msg:"BAD TRAFFIC same SRC/DST"; sameip;reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:3;)
I was referring to the second one. Is it not Land Attack ?The reference, CVE-1999-0016, is the same for both and classifies it as LAND.
So I was wondering if the packet has SRC and DST IP same, it is LAND attack or
it has to be a SYN packet with same SRC/DST ports also. thanks a lot ashley Phil Wood wrote:
The rule in snort looks for a SYN packet with IP ident == tcp sequence (0xF1C) which is based on the source for land.c. You would have to peruse the hacker source sites for that. There is no primitive to look for source port equal to destination port. You could write one. %^) On Tue, Dec 31, 2002 at 02:31:51AM -0500, Ashley Thomas wrote:Hi, What is the signature for a Land attack ? All the documentation i could get hold mentioned 'Land Attack' to be a TCP Syn packet with same Src IP/port and Dest IP/port. http://www.cert.org/advisories/CA-1997-28.html http://www.insecure.org/sploits/land.ip.DOS.html http://www.physnet.uni-hamburg.de/physnet/security/vulnerability/land.htmlThen how do we classify the DoS attack packet which has same Src IP and Dest IP.( lets say it is not a TCP/UDP packet -> so port is not considered )Snort signature for Land also has considered only the IP address and not port.thanks ashley -- Ashley Thomas Research scientist College of Computing Georgia Tech. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Ashley Thomas Research scientist College of Computing Georgia Tech. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Land Attack Ashley Thomas (Dec 31)
- Re: Land Attack Phil Wood (Dec 31)
- Re: Land Attack Ashley Thomas (Dec 31)
- Re: Land Attack Phil Wood (Dec 31)