Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ID'ing loopback spoof

From: <Blake.Fithen () aventis com>
Date: Wed, 17 Dec 2003 20:46:15 -0600

Hello, 

Trying to ID activity/scans which have the following 
characteristics:

- Source Address: 127.0.0.1 (spoofed)
- Source Port: 80
- Protocol: TCP
- Destination Address: scanning entire internal /16 private
supernet
- Destination Port: randomized between 1000..2000
- Average packet size: 64.0000 bytes
- Flags set: RST, ACK
- Payload: varies except for several fixed characters: E A P p (
- Periodicity: random/varies.  continues for 1 - 3 hours
  then stops for ~6..~24 hours.
- Frame Size: static 60 bytes
- Window Size, a consistent 55808 regardless of source address

Gut feeling is that this activity throttles M$ HTTP/DNS/? 
services/daemons which require a restart/reboot of the service
or server. IOW - a reboot is pretty much guaranteed to fix it 
fix a few hours.

Any help would be sincerely appreciated.

Happy Holidays!!!

--
blake


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: