Snort mailing list archives

Re: Shaft?

From: John Sage <jsage () finchhaven com>
Date: Sun, 25 Aug 2002 11:05:27 -0700

J Craig:

In a word, Yes.

That same source IP, same date, same source port 13000, as well.

There was a thread of about 6 posts regarding this specific probe,
from this specific source IP, on the intrusions () incidents org list.

Here was mine:


< begin post >

A rare bird:

Date: Wed, 21 Aug 2002 21:29:20 -0700
Subject: ACID Incident Report
Generated by ACID v0.9.6b21 on Wed August 21, 2002 21:29:19

------------------------------------------------------------------------------
#(116 - 122) [2002-08-21 09:37:16] [arachNIDS/252-253]  DDOS shaft synflood
IPv4: 195.27.218.62 -> 12.82.128.178
      hlen=5 TOS=0 dlen=40 ID=39977 flags=0 offset=0 TTL=16 chksum=42056
TCP:  port=13000 -> dport: 13000  flags=******S* seq=674711609
      ack=647068936 off=5 res=0 win=8768 urp=61171 chksum=64181
Payload: none
------------------------------------------------------------------------------

snort:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/21-09:37:16.080331 195.27.218.62:13000 -> 12.82.128.178:13000
TCP TTL:16 TOS:0x0 ID:39977 IpLen:20 DgmLen:40 DF
******S* Seq: 0x28374839  Ack: 0x26917D08  Win: 0x2240  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Snort processed 1 packets.
Breakdown by protocol:               
Action Stats: 
    TCP: 1        (100.000%)          ALERTS: 0        
    UDP: 0          (0.000%)          LOGGED: 0        
   ICMP: 0          (0.000%)          PASSED: 0        
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================


[toot@sparky /usr/local/2]# ./2.pl hd 28374839
674711609


The relevant snort 1.8.7 rule:

[toot@sparky /usr/local/snort-1.8.7]# grep shaft *.rules
ddos.rules: alert tcp $HOME_NET any <> $EXTERNAL_NET any
 (msg:"DDOS shaft synflood"; flags: S; seq: 674711609;
 reference:arachnids,253; classtype:attempted-dos; sid:241; rev:2;)


Note that the rule is bidirectional; ArachNIDS 252 is the best
candidate here, as this packet was incoming...

Ref: http://www.whitehats.com/info/IDS252

< end post >


HTH..

- John

-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705



On Fri, Aug 23, 2002 at 09:19:18PM -0500, J. Craig Woods wrote:

No, not the movie. The trojan. I was wondering if anyone on the list has
run into the log entry:

Aug 21 16:32:47 lincoln snort: [1:241:2] DDOS shaft synflood
[Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
195.27.218.62:13000 -> X.X.X.X:13000
Aug 22 04:39:18 lincoln snort: [1:241:2] DDOS shaft synflood
[Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
195.27.218.62:6000 -> X.X.X.X:6000

I have left in the source ip because it is important in understanding
this alert. A simple whois will show this ip to be in the RIPE netblock.
It also has no reverse dns configured. Yes, it might very well be
spoofed or a false positive. 

I have checked out all of my security on my server, and things look
intact, and I can not find any penetration. I was hoping someone might
have some thoughts on this alert or maybe you can point me in the right
direction. Of course, neither of these ports are open to the internet. I
have ipchains logging for attempts on port 6000(X), and it clearly shows
a DENY on that one. No logging on 13000 but it is filtered (strange port
to be probing, yes?)

Thanks for any assistance,
drjung

-- 
J. Craig Woods
UNIX Network/System Administration
http://www.trismegistus.net/resume.html
Character is built upon the debris of despair --Emerson



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Shaft? J. Craig Woods (Aug 23)
- Re: Shaft? John Sage (Aug 25)
  - Re: Shaft? Wayne T Work (Aug 25)
    - Re: Shaft? Ralf Hildebrandt (Aug 25)
- <Possible follow-ups>
- RE: Shaft? Matt Yackley (Aug 24)