Snort mailing list archives
Re: Land Attack
From: Phil Wood <cpw () lanl gov>
Date: Tue, 31 Dec 2002 09:56:21 -0700
The rule in snort looks for a SYN packet with IP ident == tcp sequence (0xF1C) which is based on the source for land.c. You would have to peruse the hacker source sites for that. There is no primitive to look for source port equal to destination port. You could write one. %^) On Tue, Dec 31, 2002 at 02:31:51AM -0500, Ashley Thomas wrote:
Hi, What is the signature for a Land attack ? All the documentation i could get hold mentioned 'Land Attack' to be a TCP Syn packet with same Src IP/port and Dest IP/port. http://www.cert.org/advisories/CA-1997-28.html http://www.insecure.org/sploits/land.ip.DOS.html http://www.physnet.uni-hamburg.de/physnet/security/vulnerability/land.html Then how do we classify the DoS attack packet which has same Src IP and Dest IP. ( lets say it is not a TCP/UDP packet -> so port is not considered ) Snort signature for Land also has considered only the IP address and not port. thanks ashley -- Ashley Thomas Research scientist College of Computing Georgia Tech. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Land Attack Ashley Thomas (Dec 31)
- Re: Land Attack Phil Wood (Dec 31)
- Re: Land Attack Ashley Thomas (Dec 31)
- Re: Land Attack Phil Wood (Dec 31)