Intrusion Detection Systems mailing list archives

RE: reading signatures?

From: kim () nhi no (Kim Robert Blix)
Date: Mon, 25 Oct 1999 10:35:19 +0200 (CEST)

the end of it.  And it was fast, so it is obviously a script.  Here is a
better example:

14:18:36.148999 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:36.188602 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:36.756601 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:36.803255 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)


[snip]

2 things come to mind:

  covert data sent to a compromized service. not likly since there are no
response packets comming from your side.
 
  dns scanning, which seems more likly given that broadcast adresses are
used. 

if I where you I would get some more information though. I assue the
x.x.x.244.53 packets are udp, but are they all? Its fairly easy to
recognize a scan if you log tcp packets, flags and such give tell-tale
signs (not to mention the fact that tcp.id is 31337 :-P). Sniff the
packets to see what they contain.  

in short, you need to do some more digging.

k

Current thread:

Re: reading signatures?, (continued)
- Re: reading signatures? Trevor Schroeder (Oct 22)
- Problem in snort 1.3 Fabio Pietrosanti (Oct 24)
  - Re: Problem in snort 1.3 H D Moore (Oct 24)
  - Re: Problem in snort 1.3 Lance Spitzner (Oct 24)
    - Re: Problem in snort 1.3 Ron Gula (Oct 25)
  - Re: Problem in snort 1.3 Martin Roesch (Oct 25)
  - Traffic Lister, Justin (Oct 25)
  - Comparison of several IDS Lister, Justin (Oct 25)
- Re: reading signatures? H D Moore (Oct 24)
- RE: reading signatures? matthew.fearnow () mcp com (Oct 22)
  - RE: reading signatures? Kim Robert Blix (Oct 25)
- Re: reading signatures? Robert Graham (Oct 22)
- RE: reading signatures? Alex.Senkevitch () midata com (Oct 27)
  - RE: reading signatures? Ron Gula (Oct 27)