Snort mailing list archives
stream4: Stealth activity
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 27 Apr 2006 14:54:57 -0500
Recently we've been seeing what appears to be coordinated activity tripping this alert. I've pretty much ignored these alerts in the past because 1) I don't really understand what they mean and 2) They seemed to be somewhat random as to src and 3) Many of them come from networks that I know to be ones our users are using from home.
But this recent activity has me curious as to precisely what this alert means. We're seeing two and sometimes three hosts from the same /24 (and multiple 24/s) setting off this alert. That seems to stretch the possibility of randomness to the breaking point.
I gather (from pgs 22 and 23 of the manual) that the stream4 preprocessor reassembles fragmented packets allowing you to track sessions, so I surmise that the stealth activity is an attempt to bypass detection through fragmenting or sending meaningless sequence numbers, but......bypass detection of what? Is this a variation of some type of discovery activity? Or could it be an actual attack against a large number of hosts?
Before I plow into the source code and give myself an enormous headache, is anyone on the list an expert on this *and* have the time to explain it to poor little me?
-- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- SQueRT-0.2.0 has been released. Paul Halliday (Apr 04)
- Sig mismatch - something up? Paul Schmehl (Apr 18)
- Re: Sig mismatch - something up? Matthew Watchinski (Apr 18)
- stream4: Stealth activity Paul Schmehl (Apr 27)
- Re: stream4: Stealth activity Nigel Houghton (Apr 27)
- Re: stream4: Stealth activity Paul Schmehl (Apr 28)
- Re: stream4: Stealth activity Nigel Houghton (Apr 28)
- Re: stream4: Stealth activity Nigel Houghton (Apr 27)
- Sig mismatch - something up? Paul Schmehl (Apr 18)