Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort and matching window size?

From: James Lay <slave_tothe_box () yahoo com>
Date: Mon, 30 Jun 2003 07:21:06 -0600
Hey all!

Quick question...been trying to match a window size.  Here's the packet:

06/26-08:16:17.848110 80.253.125.31:1862 -> 24.116.*.*:6588
TCP TTL:50 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
******S* Seq: 0x1D6E  Ack: 0x0  Win: 0x498D  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/26-08:43:14.784973 217.21.119.4:1025 -> 24.116.*.*:6588
TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
******S* Seq: 0x1D6E  Ack: 0x0  Win: 0x498D  TcpLen: 20

These are just 2 of them, but the window size for this scan seems to be the same.  This port is always part of a 3 part 
scan that has port 3128, 6588, and 8080.

Apr  8 08:49:20 homebox kernel: IN=eth0 OUT= MAC=00:60:08:16:39:30:00:08:20:cb:04
:a8:08:00 SRC=170.208.15.82 DST=24.116.*.* LEN=40 TOS=0x10 PREC=0x00 TTL=241 
ID=61187 PROTO=TCP SPT=21438 DPT=6588 WINDOW=16384 RES=0x00 SYN URGP=0 

Apr  8 08:49:20 homebox kernel: IN=eth0 OUT= MAC=00:60:08:16:39:30:00:08:20:cb:04
:a8:08:00 SRC=170.208.15.82 DST=24.116.*.* LEN=40 TOS=0x10 PREC=0x00 TTL=241 
ID=57956 PROTO=TCP SPT=48159 DPT=3128 WINDOW=16384 RES=0x00 SYN URGP=0 

Apr  8 08:49:20 homebox kernel: IN=eth0 OUT= MAC=00:60:08:16:39:30:00:08:20:cb:04
:a8:08:00 SRC=170.208.15.82 DST=24.116.*.* LEN=40 TOS=0x10 PREC=0x00 TTL=241 
ID=10814 PROTO=TCP SPT=47980 DPT=8080 WINDOW=16384 RES=0x00 SYN URGP=0

I know that 3128 is Squid and that 8080 is SOCKS, and after doing some research 
(http://isc.incidents.org/port_details.html?port=6588&repax=1&tarax=2&srcax=2&percent=N&days=40&Redraw=) this is an 
AnalogX proxy scan.  I'm using:

alert tcp $EXTERNAL_NET any -> $HOME_NET 6588 (msg:"AnalogX Proxy Server Scan"; flags:S;)

as my rule, but I'd like to know if there's a way to match the window size.  I tried matchine it with a content 
matching keyword, but that didn't work.  Does the content keyword match just the data portion of the packet?  Or does 
it content match against headers as well?  Thanks all!

James


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: