Snort mailing list archives
RE: 55808 window size [WAS: (no subject)]
From: "Coyle, Brian" <Brian.Coyle () disney com>
Date: Tue, 24 Jun 2003 17:11:14 -0400
snrt <snrt () packetstorm org> wrote: [major snipage]
Hello, im using snort 2.x on RedHat 9 and added the signature from the snort-sig list posted by Brian Coyle for the 55808 trojan traffic.
I saw a hit from a single address over a few seconds late at night and I am wondering if I did something wrong with the rule.
Snort tagged it and Acid shows it. The wierd thing is that I have 78 hits from the same IP address going to port 443 (my webserver port acting as port 80 since my isp blocks port 80 ... bah).
So can anyone explain what the deal is.
As of this morning, I've now seen a couple of false positives from this rule. Occasionally, a source with legit traffic[1] will start with a window size of 55808. Snort triggers on the 55808/SYN packet, but subsequent packets have a reduced window size. The IP Seq. numbers will also vary as expected for regular traffic. HTH! -- Brian, GCIA [1] I've seen mostly spammers targeting a mailserver, so 'legit' is loosely defined. ;) ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: 55808 window size [WAS: (no subject)] Coyle, Brian (Jun 24)
- Re: RE: 55808 window size [WAS: (no subject)] Frank Knobbe (Jun 24)