OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Hall, Andrew (DPRS) (AndrewR.hall_at_aph.gov.au)
Date: Mon Feb 10 2003 - 15:17:14 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Jon,

    If you are seeing something the TTL decement all the way to 1 then you
    probably have a routing loop. Ie are the destinations actually used in
    your address space? If not, what can happen is that your border router
    will route the address into your network, while your next device inside
    the border router will route it back by its default route.

    Just something to check.

    Andrew

    -----Original Message-----
    From: Jon [mailto:warchildspoofed.org]
    Sent: Tuesday, 11 February 2003 6:53 AM
    To: snort-sigslists.sourceforge.net
    Cc: focus-idssecurityfocus.com
    Subject: [Snort-sigs] new Q signature

    Greetings,

    For a month or more now, I've been getting alerts from Snort's
    spp_stream4
    about the TTL expiring. Whats interesting is that all of these packets
    were nearly identical:

    IP ID of 0
    ACK + RST flags set
    generally to port 80
    TCP sequence number set
    TCP payload 'cko'
    Window size of 0

    The 'cko' stuff smells of Q, but I couldn't find any *definite* proof
    that it was. Many people have reported this on various lists, but I
    have yet to see answers. Also, many of these people were seeing it
    coming from a broadcast address, whereas I'm seeing it from addresses
    worldwide.

    In an effort to get to the bottow of this, I wrote a signature that uses
    tag:

    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor
    traffic (Tag)"; content:"cko"; depth:3; dsize:3;
    tag:host,100,packets,src;)

    I'm now catching a dozen or so machines per hour, but not all of them
    are tripping the tag. This means that the sensor never sees any other
    traffic from the source. A handful of machines do some innocent web
    browsing of machines on the networks I watch, and then terminate the
    connetion. Seconds later, the 'cko' packet shows up from that host.
    Other times, a host on my network browses a remote site, and eventually
    terminates the connection. Seconds later, the 'cko' packet shows up on
    my doorstep from the remote site.

    I'm curious if anyone else has experienced this and/or knows what is
    causing it.

    If you don't want to tag, use this:

    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor
    traffic"; content:"cko"; depth:3; dsize:3;)

    Any information would be greatly appreciated.

    thanks,

    -jon

    -------------------------------------------------------
    This SF.NET email is sponsored by:
    SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
    http://www.vasoftware.com
    _______________________________________________
    Snort-sigs mailing list
    Snort-sigslists.sourceforge.net
    https://lists.sourceforge.net/lists/listinfo/snort-sigs