Snort mailing list archives

Re: BAD TRAFFIC data in TCP SYN packet

From: Brian <bmc () snort org>
Date: Wed, 26 Feb 2003 10:00:06 -0500

On Tue, Feb 25, 2003 at 10:25:20AM -0500, Keith Pachulski wrote:

bad rule

bad-traffic.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC data in TCP SYN packet"; flags:S; 
dsize:>6; reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526;  classtype:misc-activity; rev:4;)

the rule lacks the tcp ports noted in the cert advisory


Seeing data in the payload is STILL bad, regardless of the ports stated
in the CERT advisory.  Obviously, nobody has ever changed the port on a
malicious tool.

The reference is there to provide you with an idea of what is going on and
an example of its malicious usage.

-brian


-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

BAD TRAFFIC data in TCP SYN packet John York (Feb 25)
- <Possible follow-ups>
- RE: BAD TRAFFIC data in TCP SYN packet Keith Pachulski (Feb 25)
  - Re: BAD TRAFFIC data in TCP SYN packet Phil Wood (Feb 25)
  - Re: BAD TRAFFIC data in TCP SYN packet Brian (Feb 26)
- BAD TRAFFIC data in TCP SYN packet Ron Shuck (Feb 25)
- RE: BAD TRAFFIC data in TCP SYN packet Coyle, Brian (Feb 25)
- RE: BAD TRAFFIC data in TCP SYN packet John York (Feb 25)
- RE: BAD TRAFFIC data in TCP SYN packet John York (Feb 25)