Snort mailing list archives
ID'ing loopback spoof
From: <Blake.Fithen () aventis com>
Date: Wed, 17 Dec 2003 20:46:15 -0600
Hello, Trying to ID activity/scans which have the following characteristics: - Source Address: 127.0.0.1 (spoofed) - Source Port: 80 - Protocol: TCP - Destination Address: scanning entire internal /16 private supernet - Destination Port: randomized between 1000..2000 - Average packet size: 64.0000 bytes - Flags set: RST, ACK - Payload: varies except for several fixed characters: E A P p ( - Periodicity: random/varies. continues for 1 - 3 hours then stops for ~6..~24 hours. - Frame Size: static 60 bytes - Window Size, a consistent 55808 regardless of source address Gut feeling is that this activity throttles M$ HTTP/DNS/? services/daemons which require a restart/reboot of the service or server. IOW - a reboot is pretty much guaranteed to fix it fix a few hours. Any help would be sincerely appreciated. Happy Holidays!!! -- blake ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ID'ing loopback spoof Blake.Fithen (Dec 30)