Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] custom signature based on the following tcpdump output

from [Jamie Riden] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] custom signature based on the following tcpdump output
Date: Thu, 5 Oct 2006 10:52:20 +1300 
On 29/09/06, Jamie Riden <jamesr@europe.com> wrote:
[sorry if this arrives twice - sourceforge claimed it was
non-deliverable as gmail wasn't playing nice with it's callback
mechanism]

On 29/09/06, Agent Smith <news8080@yahoo.com> wrote:

I used

tcpdump -n -i eth1 port 445 -X -s 4096 to capture the
following. we have a infected host doing massive
tcp/445 outbound and I'd like to know about these
things with snort box we have.

I've written custom sigs. before but this one is odd.

Anyone?

13:42:13.547549 10.10.100.72.3399 > 86.245.29.77.microsoft-ds: S  
515211076:2515211076(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e6a 4000 7d06 ecc9 0a0a 6448 E..0.j@.}.....dH
0x0010   56f5 1d4d 0d47 01bd 95eb 1344 0000 0000 V..M.G.....D....
0x0020   7002 faf0 ed66 0000 0204 05b4 0101 0402 p....f..........


OK, it's too early, but here goes.

These are only SYN packets aren't they? Don't you need something which
has completed the TCP handshake before you can write a signature for
it?

What if you get a box, something like http://nepenthes.mwcollect.org/
maybe, to reply to the SYN? That should you get you more info, maybe
even a malware binary.

Have you seen any IRC traffic from this machine?

cheers,
 Jamie
-- 
Jamie Riden, CISSP / jamesr@europe.com / jamie.riden@gmail.com
NZ Honeynet project - http://www.nz-honeynet.org/

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Snort-sigs] custom signature based on the following tcpdump output, Jamie Riden <=
Previous by Date:  [Snort-sigs] Sourcefire VRT Certified Rules Update, Sourcefire VRT
Next by Date:  [Snort-sigs] Bogus CVE in sid 1812, Jeff Nathan
Previous by Thread:  [Snort-sigs] unsubscribe, natesa.sabapathy
Next by Thread:  [Snort-sigs] Bogus CVE in sid 1812, Jeff Nathan
Indexes:  [Date] [Thread] [Top] [All Lists]