Additional notes on Stumbler.
this is an addition to yesterdays diary:
http://isc.sans.org/diary.html?date=2003-06-22
To detect these packets with Snort, Brian Coyle has provided a Snort rule:
alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00";
flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2;
reference:url,cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00146.html;
reference:url,www.gcn.com/vol1_no1/daily-updates/22371-1.html;
reference:url,www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0;)
To capture the packets, tcpdump can be used:
tcpdump -i eth0 -np -s 1500 -w /root/tcp-5508 'tcp[14:2] = 55808'
Adjust "eth0" to be your primary network device.
Here are some additional links to Stumbler articles and pages:
http://news.com.com/2100-1002_3-1019759.html
http://www.eweek.com/article2/0,3959,1130754,00.asp
http://www.gcn.com/vol1_no1/daily-updates/22371-1.html
http://www.informationweek.com/story/showArticle.jhtml?articleID=10700645
http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=10700746
http://www.lancope.com/news/Virus_Alert_Trojan.htm
http://securityfocus.com/archive/1/326149/2003-06-19/2003-06-25/0
http://www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0
http://www.theregister.co.uk/content/55/31341.html
http://isc.sans.org/diary.html?date=2003-06-22
To detect these packets with Snort, Brian Coyle has provided a Snort rule:
alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00";
flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2;
reference:url,cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00146.html;
reference:url,www.gcn.com/vol1_no1/daily-updates/22371-1.html;
reference:url,www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0;)
To capture the packets, tcpdump can be used:
tcpdump -i eth0 -np -s 1500 -w /root/tcp-5508 'tcp[14:2] = 55808'
Adjust "eth0" to be your primary network device.
Here are some additional links to Stumbler articles and pages:
http://news.com.com/2100-1002_3-1019759.html
http://www.eweek.com/article2/0,3959,1130754,00.asp
http://www.gcn.com/vol1_no1/daily-updates/22371-1.html
http://www.informationweek.com/story/showArticle.jhtml?articleID=10700645
http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=10700746
http://www.lancope.com/news/Virus_Alert_Trojan.htm
http://securityfocus.com/archive/1/326149/2003-06-19/2003-06-25/0
http://www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0
http://www.theregister.co.uk/content/55/31341.html
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments