Additional notes on Stumbler.
this is an addition to yesterdays diary:

To detect these packets with Snort, Brian Coyle has provided a Snort rule:

alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00";

flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2;



To capture the packets, tcpdump can be used:

tcpdump -i eth0 -np -s 1500 -w /root/tcp-5508 'tcp[14:2] = 55808'

Adjust "eth0" to be your primary network device.

Here are some additional links to Stumbler articles and pages:,3959,1130754,00.asp


76 Posts
Jun 23rd 2003

Sign Up for Free or Log In to start participating in the conversation!