Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] custom signature based on the following tcpdump output

from [Agent Smith] Network Security [Permanent Link]
Subject: [Snort-sigs] custom signature based on the following tcpdump output
Date: Thu, 28 Sep 2006 13:50:26 -0700 (PDT) 
I used 

tcpdump -n -i eth1 port 445 -X -s 4096 to capture the
following. we have a infected host doing massive
tcp/445 outbound and I'd like to know about these
things with snort box we have.

I've written custom sigs. before but this one is odd.

Anyone?

13:42:13.547549 10.10.100.72.3399 >
86.245.29.77.microsoft-ds: S 2515211076:2515211076(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e6a 4000 7d06 ecc9 0a0a 6448      
 E..0.j@.}.....dH
0x0010   56f5 1d4d 0d47 01bd 95eb 1344 0000 0000      
 V..M.G.....D....
0x0020   7002 faf0 ed66 0000 0204 05b4 0101 0402      
 p....f..........
13:42:13.547558 10.10.100.72.3400 >
140.36.4.8.microsoft-ds: S 2515255340:2515255340(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e6b 4000 7d06 d0de 0a0a 6448      
 E..0.k@.}.....dH
0x0010   8c24 0408 0d48 01bd 95eb c02c 0000 0000      
 .$...H.....,....
0x0020   7002 faf0 2493 0000 0204 05b4 0101 0402      
 p...$...........
13:42:13.573026 10.10.100.72.3453 >
0.24.235.80.microsoft-ds: S 2518238052:2518238052(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e6c 4000 7d06 75a1 0a0a 6448      
 E..0.l@.}.u...dH
0x0010   0018 eb50 0d7d 01bd 9619 4364 0000 0000      
 ...P.}....Cd....
0x0020   7002 faf0 45bc 0000 0204 05b4 0101 0402      
 p...E...........
13:42:13.585730 10.10.100.72.3454 >
162.80.10.36.microsoft-ds: S 2518293251:2518293251(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e6d 4000 7d06 b494 0a0a 6448      
 E..0.m@.}.....dH
0x0010   a250 0a24 0d7e 01bd 961a 1b03 0000 0000      
 .P.$.~..........
0x0020   7002 faf0 ad0f 0000 0204 05b4 0101 0402      
 p...............
13:42:13.710749 10.10.100.72.3457 >
11.243.33.109.microsoft-ds: S 2518420341:2518420341(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e6f 4000 7d06 33a7 0a0a 6448      
 E..0.o@.}.3...dH
0x0010   0bf3 216d 0d81 01bd 961c 0b75 0000 0000      
 ..!m.......u....
0x0020   7002 faf0 3bad 0000 0204 05b4 0101 0402      
 p...;...........
13:42:13.949891 10.10.100.72.3401 >
26.130.248.92.microsoft-ds: S 2515409107:2515409107(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e70 4000 7d06 4e27 0a0a 6448      
 E..0.p@.}.N'..dH
0x0010   1a82 f85c 0d49 01bd 95ee 18d3 0000 0000      
 ...\.I..........
0x0020   7002 faf0 4936 0000 0204 05b4 0101 0402      
 p...I6..........
13:42:14.053393 10.10.100.72.3402 >
146.4.123.95.microsoft-ds: S 2515488633:2515488633(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e71 4000 7d06 53a1 0a0a 6448      
 E..0.q@.}.S...dH
0x0010   9204 7b5f 0d4a 01bd 95ef 4f79 0000 0000      
 ..{_.J....Oy....
0x0020   7002 faf0 1809 0000 0204 05b4 0101 0402      
 p...............
13:42:14.053402 10.10.100.72.3404 >
129.19.63.224.microsoft-ds: S 2515527676:2515527676(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e72 4000 7d06 a010 0a0a 6448      
 E..0.r@.}.....dH
0x0010   8113 3fe0 0d4c 01bd 95ef e7fc 0000 0000      
 ..?..L..........
0x0020   7002 faf0 cbf3 0000 0204 05b4 0101 0402      
 p...............
13:42:14.053407 10.10.100.72.3405 >
6.15.132.180.microsoft-ds: S 2515571125:2515571125(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e73 4000 7d06 d63f 0a0a 6448      
 E..0.s@.}..?..dH
0x0010   060f 84b4 0d4d 01bd 95f0 91b5 0000 0000      
 .....M..........
0x0020   7002 faf0 5869 0000 0204 05b4 0101 0402      
 p...Xi..........


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  Re: [Snort-sigs] custom signature based on the following tcpdump output, Joel Esler
Previous by Thread:  [Snort-sigs] Thank you Sourcefire, Ureleet Ureleet
Next by Thread:  Re: [Snort-sigs] custom signature based on the following tcpdump output, Joel Esler
Indexes:  [Date] [Thread] [Top] [All Lists]