Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Additional notes on Stumbler. - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Additional notes on Stumbler.
this is an addition to yesterdays diary:

http://isc.sans.org/diary.html?date=2003-06-22

To detect these packets with Snort, Brian Coyle has provided a Snort rule:

alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00";

flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2;

reference:url,cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00146.html;

reference:url,www.gcn.com/vol1_no1/daily-updates/22371-1.html;

reference:url,www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0;)
To capture the packets, tcpdump can be used:

tcpdump -i eth0 -np -s 1500 -w /root/tcp-5508 'tcp[14:2] = 55808'

Adjust "eth0" to be your primary network device.

Here are some additional links to Stumbler articles and pages:

http://news.com.com/2100-1002_3-1019759.html

http://www.eweek.com/article2/0,3959,1130754,00.asp

http://www.gcn.com/vol1_no1/daily-updates/22371-1.html

http://www.informationweek.com/story/showArticle.jhtml?articleID=10700645

http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=10700746

http://www.lancope.com/news/Virus_Alert_Trojan.htm

http://securityfocus.com/archive/1/326149/2003-06-19/2003-06-25/0

http://www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0

http://www.theregister.co.uk/content/55/31341.html

Handlers

76 Posts

Sign Up for Free or Log In to start participating in the conversation!