RE: [Snort-sigs] new Q signature

From: Hall, Andrew (DPRS) <AndrewR.hall(at)aph.gov.au>
Date: Mon Feb 10 2003 - 16:17:14 EST

Jon,

If you are seeing something the TTL decement all the way to 1 then you probably have a routing loop. Ie are the destinations actually used in your address space? If not, what can happen is that your border router will route the address into your network, while your next device inside the border router will route it back by its default route.

Just something to check.

Andrew

-----Original Message-----

From: Jon [mailto:warchild@spoofed.org] Sent: Tuesday, 11 February 2003 6:53 AM
To: snort-sigs@lists.sourceforge.net
Cc: focus-ids@securityfocus.com
Subject: [Snort-sigs] new Q signature

Greetings,

For a month or more now, I've been getting alerts from Snort's spp_stream4
about the TTL expiring. Whats interesting is that all of these packets were nearly identical:

IP ID of 0
ACK + RST flags set
generally to port 80
TCP sequence number set
TCP payload 'cko'
Window size of 0

The 'cko' stuff smells of Q, but I couldn't find any *definite* proof that it was. Many people have reported this on various lists, but I have yet to see answers. Also, many of these people were seeing it coming from a broadcast address, whereas I'm seeing it from addresses worldwide.

In an effort to get to the bottow of this, I wrote a signature that uses tag:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor traffic (Tag)"; content:"cko"; depth:3; dsize:3; tag:host,100,packets,src;)

I'm now catching a dozen or so machines per hour, but not all of them are tripping the tag. This means that the sensor never sees any other traffic from the source. A handful of machines do some innocent web browsing of machines on the networks I watch, and then terminate the connetion. Seconds later, the 'cko' packet shows up from that host. Other times, a host on my network browses a remote site, and eventually terminates the connection. Seconds later, the 'cko' packet shows up on my doorstep from the remote site.

I'm curious if anyone else has experienced this and/or knows what is causing it.

If you don't want to tag, use this:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor traffic"; content:"cko"; depth:3; dsize:3;)

Any information would be greatly appreciated.

thanks,

-jon

---

This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Mon Feb 10 21:00:19 2003