Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DOS rules for Nimda

From: "Richard Ellerbrock" <richarde () eskom co za>
Date: Thu, 26 Sep 2002 17:17:43 +0200
Ah, I think you understand what I am after, probably because you wrote
the book on this kinda stuff - thanks for a great tool!

No, SEQ number not the same. Only thing that is constant is that for
each SYN to a destination there are EXACTLY two of the EXACT same
packets (Flags, SEQ, Source Port and WIN). So here is an example trace:

10.201.151.40 -> 10.201.18.154 D=80 S=4147 SYN SEQ=2132994334 LEN=0
WIN=16384
10.201.151.40 -> 10.201.18.154 D=80 S=4147 SYN SEQ=2132994334 LEN=0
WIN=16384
10.201.151.40 -> 10.201.84.107 D=80 S=4148 SYN SEQ=2147466592 LEN=0
WIN=16384
10.201.151.40 -> 10.201.84.107 D=80 S=4148 SYN SEQ=2147466592 LEN=0
WIN=16384
10.201.151.40 -> 10.201.58.47 D=80 S=4149 SYN SEQ=2147500852 LEN=0
WIN=16384
10.201.151.40 -> 10.201.58.47 D=80 S=4149 SYN SEQ=2147500852 LEN=0
WIN=16384
.
.
.

(copied from sniffer trace, these packets are 0.002 seconds apart!)

For some hosts the WIN size is 8192, but I think this depends on the MS
version and nothing else.

What snort really needs to be able to do is detect a constant source
address with a rapidly changing destination address doing a port scan,
something along the lines of a TCP verion of a ICMP smurf detector.

I will also check out 1.9 for the threshold option.

Richard
http://iptrack.sourceforge.net 



Martin Roesch <roesch () sourcefire com> 2002/09/26 04:27:38 >>>

Is the seq number constant for every connection?  If so you could do a
simple detection rule looking for the seq + window with the SYN flag
set.
If you use version 1.9 you can even use the new threshold keyword to
only
get one event notification for every X alerts....

    -Marty


On 9/26/02 7:11 AM, "Richard Ellerbrock" <richarde () eskom co za> wrote:


I am trying to help a very large site that is being killed by denial

of

service due to a large number of MS type workstations infected by

Nimda.

The standard snort rules are no good as no connection is actually

made,

just a HUGE SYN flood looking for open Web servers to infect.

Traffic

looks like this:

Each host sends 2x SYN packets exactly the same (same source port,

SEQ

and WIN size) to a remote host on port 80. Obviously never gets a

reply.

Within a couple of milliseconds, tries another randon destination.

Now my understanding of snort points to the stream4 processor to

catch

this stuff, but how to configure. The docs are a little unclear to

this

snort newbie. I do get TTL evasion on stream4, but this does not
indicate much.

Any help with rules/setup for this would be great.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users 




-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console
appliances
roesch () sourcefire com - http://www.sourcefire.com 
Snort: Open Source Network IDS - http://www.snort.org 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: