Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Additional notes on Stumbler. SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Additional notes on Stumbler.
this is an addition to yesterdays diary:

To detect these packets with Snort, Brian Coyle has provided a Snort rule:

alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00";

flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2;



To capture the packets, tcpdump can be used:

tcpdump -i eth0 -np -s 1500 -w /root/tcp-5508 'tcp[14:2] = 55808'

Adjust "eth0" to be your primary network device.

Here are some additional links to Stumbler articles and pages:,3959,1130754,00.asp


76 Posts

Sign Up for Free or Log In to start participating in the conversation!