Snort mailing list archives

(no subject)

From: snrt <snrt () packetstorm org>
Date: Tue, 24 Jun 2003 14:30:02 -0500 (CDT)


Hello, im using snort 2.x on RedHat 9 and added the signature from the 
snort-sig list posted by Brian Coyle for the 55808 trojan traffic.

I saw a hit from a single address over a few seconds late at night and I 
am wondering if I did something wrong with the rule.

The rule posted (sorry cut n pasted so its goofy looking)

alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 
0xDA00"; 
  flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2; 
reference:url,cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00146.html; 
  reference:url,www.gcn.com/vol1_no1/daily-updates/22371-1.html;
reference:url,www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0;)


Snort tagged it and Acid shows it. The wierd thing is that I have 78 hits 
from the same IP address going to port 443 (my webserver port acting as 
port 80 since my isp blocks port 80 ... bah). 

So i figured maybe the post on my website is triggering the rule. I 
compared the access log hits and those were alot less than the Sensor 
hits that and theres been plenty of views on this page from elsewhere 
without the sensor being alerted. Still not convinced i checked the acid 
TCP information

source
port dest
  port   R
1 R
0 U
R
G A
C
K P
S
H R
S
T S
Y
N F
I
N seq # ack offset res window urp chksum 
1206 443       X   3238984777 0 8 0 55808 0 34723 


The window shows port 55808. 

So looking at the access log file I noticed that the client being used was 
id'd as:

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"


So can anyone explain what the deal is. It would seem that a Windows NT 
system sent packets of windows size 55808 to my webserver port while 
access the website at the same time.

Or is the signature causing the alert and if so then why doesnt it alert 
for anyone visiting the page with the data about this new trojan?


thanks!

Greg



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject), (continued)
- (no subject) Cory D. (Apr 09)
- (no subject) KD Rajkumar (Apr 13)
- RE: (no subject) Ryan Finnesey (Apr 13)
- (no subject) John Sage (Apr 14)
- (no subject) Robin Johnson (May 29)
  - Re: (no subject) Erick Mechler (May 29)
  - Re: (no subject) Patrick S. Harper (May 29)
- RE: (no subject) Robin Johnson (May 30)
- RE: (no subject) Robin Johnson (May 30)
  - RE: (no subject) Brian Gregorcy (May 30)
- (no subject) snrt (Jun 24)
  - Re: (no subject) James Nonya (Jun 24)
- (no subject) Juergen Anthamatten (Jun 25)