Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Additional notes on Stumbler. SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Additional notes on Stumbler.
this is an addition to yesterdays diary:

http://isc.sans.org/diary.html?date=2003-06-22

To detect these packets with Snort, Brian Coyle has provided a Snort rule:

alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00";

flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2;

reference:url,cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00146.html;

reference:url,www.gcn.com/vol1_no1/daily-updates/22371-1.html;

reference:url,www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0;)
To capture the packets, tcpdump can be used:

tcpdump -i eth0 -np -s 1500 -w /root/tcp-5508 'tcp[14:2] = 55808'

Adjust "eth0" to be your primary network device.

Here are some additional links to Stumbler articles and pages:

http://news.com.com/2100-1002_3-1019759.html

http://www.eweek.com/article2/0,3959,1130754,00.asp

http://www.gcn.com/vol1_no1/daily-updates/22371-1.html

http://www.informationweek.com/story/showArticle.jhtml?articleID=10700645

http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=10700746

http://www.lancope.com/news/Virus_Alert_Trojan.htm

http://securityfocus.com/archive/1/326149/2003-06-19/2003-06-25/0

http://www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0

http://www.theregister.co.uk/content/55/31341.html

Handlers

76 Posts

Sign Up for Free or Log In to start participating in the conversation!