RE: 55808 window size [WAS: (no subject)]

["Coyle, Brian" <Brian.Coyle () disney com>]

snrt <snrt () packetstorm org> wrote:

[major snipage]
> Hello, im using snort 2.x on RedHat 9 and added the signature from the 
> snort-sig list posted by Brian Coyle for the 55808 trojan traffic.

> I saw a hit from a single address over a few seconds late at night and I 
> am wondering if I did something wrong with the rule.

> Snort tagged it and Acid shows it. The wierd thing is that I have 78 hits 
> from the same IP address going to port 443 (my webserver port acting as 
> port 80 since my isp blocks port 80 ... bah). 


> So can anyone explain what the deal is. 

As of this morning, I've now seen a couple of false positives from this rule.
Occasionally, a source with legit traffic[1] will start with a window size of 
55808.  Snort triggers on the 55808/SYN packet, but subsequent packets have 
a reduced window size.  The IP Seq. numbers will also vary as expected for 
regular traffic.


HTH!

                                    -- Brian, GCIA

[1] I've seen mostly spammers targeting a mailserver, so 'legit' is loosely
defined.  ;)


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users