Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Additional notes on Stumbler. - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Additional notes on Stumbler.
this is an addition to yesterdays diary:

To detect these packets with Snort, Brian Coyle has provided a Snort rule:

alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00";

flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2;



To capture the packets, tcpdump can be used:

tcpdump -i eth0 -np -s 1500 -w /root/tcp-5508 'tcp[14:2] = 55808'

Adjust "eth0" to be your primary network device.

Here are some additional links to Stumbler articles and pages:,3959,1130754,00.asp


76 Posts

Sign Up for Free or Log In to start participating in the conversation!