Re: RE: 55808 window size [WAS: (no subject)]

[Frank Knobbe <fknobbe () knobbeits com>]

On Tue, 2003-06-24 at 16:11, Coyle, Brian wrote:
> As of this morning, I've now seen a couple of false positives from this rule.
> Occasionally, a source with legit traffic[1] will start with a window size of 
> 55808.  Snort triggers on the 55808/SYN packet, but subsequent packets have 
> a reduced window size.  The IP Seq. numbers will also vary as expected for 
> regular traffic.


Other normal traffic has odd Window sizes as well (58400, 63999, 65217,
56940, 17207, 58204, 24616, etc). Why everyone is chasing 55808 is
beyond me. Yeah, it was/is the common thing with some of these scans,
but everyone is using that Window size _by_itself_ as some kind of
identifier (i.e. Snort rule). That's absurd. .... Oh well, don't get me
started on some of these so-called "security researchers" (or
market-droids).... sometimes I wonder if they not "find" exploits in
their own marketing department...

Joe Stewart said in an Incidents post "Probably someone's idea of a joke
on the infosec community." 

That "trojan" may not have been a joke, but the way some people made use
of the situation surely is a joke.

"Move on, nothing to see here." comes to mind...

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part