Snort mailing list archives

Re: (no subject)

From: James Nonya <slave_tothe_box () yahoo com>
Date: Tue, 24 Jun 2003 13:18:15 -0700 (PDT)


--- snrt <snrt () packetstorm org> wrote:


Hello, im using snort 2.x on RedHat 9 and added the
signature from the 
snort-sig list posted by Brian Coyle for the 55808
trojan traffic.

I saw a hit from a single address over a few seconds
late at night and I 
am wondering if I did something wrong with the rule.

The rule posted (sorry cut n pasted so its goofy
looking)

alert tcp any any -> any any (msg:"WATCHLIST -
20030613-window size 
0xDA00"; 
  flags: S; window: 55808; classtype:bad-unknown;
sid:9999999; rev:2;

reference:url,cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00146.html;

 

reference:url,www.gcn.com/vol1_no1/daily-updates/22371-1.html;

reference:url,www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0;)



Snort tagged it and Acid shows it. The wierd thing
is that I have 78 hits 
from the same IP address going to port 443 (my
webserver port acting as 
port 80 since my isp blocks port 80 ... bah). 

So i figured maybe the post on my website is
triggering the rule. I 
compared the access log hits and those were alot
less than the Sensor 
hits that and theres been plenty of views on this
page from elsewhere 
without the sensor being alerted. Still not
convinced i checked the acid 
TCP information

source
port dest
  port   R
1 R
0 U
R
G A
C
K P
S
H R
S
T S
Y
N F
I
N seq # ack offset res window urp chksum 
1206 443       X   3238984777 0 8 0 55808 0 34723 


The window shows port 55808. 

So looking at the access log file I noticed that the
client being used was 
id'd as:

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
.NET CLR 1.0.3705)"


So can anyone explain what the deal is. It would
seem that a Windows NT 
system sent packets of windows size 55808 to my
webserver port while 
access the website at the same time.

Or is the signature causing the alert and if so then
why doesnt it alert 
for anyone visiting the page with the data about
this new trojan?


thanks!

Greg

Dig it,

http://www.sarc.com/avcenter/venc/data/trojan.linux.typot.html

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject), (continued)
- (no subject) KD Rajkumar (Apr 13)
- RE: (no subject) Ryan Finnesey (Apr 13)
- (no subject) John Sage (Apr 14)
- (no subject) Robin Johnson (May 29)
  - Re: (no subject) Erick Mechler (May 29)
  - Re: (no subject) Patrick S. Harper (May 29)
- RE: (no subject) Robin Johnson (May 30)
- RE: (no subject) Robin Johnson (May 30)
  - RE: (no subject) Brian Gregorcy (May 30)
- (no subject) snrt (Jun 24)
  - Re: (no subject) James Nonya (Jun 24)
- (no subject) Juergen Anthamatten (Jun 25)