new Q signature

[Jon <warchild () spoofed org>]

Greetings,

For a month or more now, I've been getting alerts from Snort's spp_stream4 
about the TTL expiring.  Whats interesting is that all of these packets were
nearly identical:

IP ID of 0
ACK + RST flags set
generally to port 80
TCP sequence number set
TCP payload 'cko'
Window size of 0

The 'cko' stuff smells of Q, but I couldn't find any *definite* proof that
it was.  Many people have reported this on various lists, but I have yet to
see answers.  Also, many of these people were seeing it coming from a
broadcast address, whereas I'm seeing it from addresses worldwide.

In an effort to get to the bottow of this, I wrote a signature that uses
tag:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor traffic
(Tag)"; content:"cko"; depth:3; dsize:3; tag:host,100,packets,src;)

I'm now catching a dozen or so machines per hour, but not all of them are
tripping the tag.  This means that the sensor never sees any other traffic
from the source.  A handful of machines do some innocent web browsing of
machines on the networks I watch, and then terminate the connetion.
Seconds later, the 'cko' packet shows up from that host.  Other times, a
host on my network browses a remote site, and eventually terminates the
connection.  Seconds later, the 'cko' packet shows up on my doorstep from
the remote site.

I'm curious if anyone else has experienced this and/or knows what is
causing it.

If you don't want to tag, use this:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor
traffic";  content:"cko"; depth:3; dsize:3;)

Any information would be greatly appreciated.

thanks,

-jon