IDS mailing list archives
new Q signature
From: Jon <warchild () spoofed org>
Date: Mon, 10 Feb 2003 14:53:11 -0500
Greetings, For a month or more now, I've been getting alerts from Snort's spp_stream4 about the TTL expiring. Whats interesting is that all of these packets were nearly identical: IP ID of 0 ACK + RST flags set generally to port 80 TCP sequence number set TCP payload 'cko' Window size of 0 The 'cko' stuff smells of Q, but I couldn't find any *definite* proof that it was. Many people have reported this on various lists, but I have yet to see answers. Also, many of these people were seeing it coming from a broadcast address, whereas I'm seeing it from addresses worldwide. In an effort to get to the bottow of this, I wrote a signature that uses tag: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor traffic (Tag)"; content:"cko"; depth:3; dsize:3; tag:host,100,packets,src;) I'm now catching a dozen or so machines per hour, but not all of them are tripping the tag. This means that the sensor never sees any other traffic from the source. A handful of machines do some innocent web browsing of machines on the networks I watch, and then terminate the connetion. Seconds later, the 'cko' packet shows up from that host. Other times, a host on my network browses a remote site, and eventually terminates the connection. Seconds later, the 'cko' packet shows up on my doorstep from the remote site. I'm curious if anyone else has experienced this and/or knows what is causing it. If you don't want to tag, use this: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor traffic"; content:"cko"; depth:3; dsize:3;) Any information would be greatly appreciated. thanks, -jon
Current thread:
- new Q signature Jon (Feb 10)