01-20-2004 06:35 PM - edited 03-09-2019 06:11 AM
Can someone help me with this?
I am trying to create a custom signature with the following characteristics...
Option 1:
Source Sequence number is 0
Flags are Syn/Ack
Destination Port 80
MinHits 5
Option 2
Source Port 80
Flag RST
Sequence number = 1
TCP ZeroWindow
MinHits 5
I've tried using the signature wizard but can't find the right combination.
Solved! Go to Solution.
01-21-2004 02:08 PM
We don't currently support looking for specific sequence numbers or window sizes. We are in the process of planning additional engine parameters to deal with this. To create custom signatures that match close to your specifications, you could do this with ATOMIC.TCP.
Option 1
TcpFlags SYN|ACK
Mask FIN|SYN|RST|PSH|ACK|URG
DstPort 80
MinHits 5
Option 2
TcpFlags RST
Mask FIN|SYN|RST|PSH|ACK|URG
SrcPort 80
MinHits 20
If needed, you can add the SrcIpAddr / DstIpAddr parameters to limit these to certain addresses.
01-20-2004 09:20 PM
Here is what I tried, in order to achieve option 2 - it didn't work:
Sweep.port.tcp signature
Mask: SYN/FIN/RST
TcpFlags: RST
MinHit: 5
Protocol: TCP
Unique: 5
PortRange: 1
InvertedSweep: True
This isn't firing...
01-21-2004 08:20 AM
I finally have it working, but not quite the way I want it.
ATOMIC.TCP
FlipAddr: True
Mask: FIN/SYN/RST
MinHits: 20
Protocol: TCP
SrcIPAddr: 10.10.10.5
ScrIpMask: 255.255.255.255
SrcPort: 80
TcpFlags: RST
If I don't specifiy the source, it fires often - due to the fact it's going to see more than 20 RST packets to various hosts. I would like to use a state based signature, so I don't have to specificy the source.
I'm trying to get it to fire when the IDS system sees an IP address sending multiple RST packets to another machine with the source coming from TCP 80.
01-21-2004 02:08 PM
We don't currently support looking for specific sequence numbers or window sizes. We are in the process of planning additional engine parameters to deal with this. To create custom signatures that match close to your specifications, you could do this with ATOMIC.TCP.
Option 1
TcpFlags SYN|ACK
Mask FIN|SYN|RST|PSH|ACK|URG
DstPort 80
MinHits 5
Option 2
TcpFlags RST
Mask FIN|SYN|RST|PSH|ACK|URG
SrcPort 80
MinHits 20
If needed, you can add the SrcIpAddr / DstIpAddr parameters to limit these to certain addresses.
01-21-2004 10:11 PM
Thank you for your guidance... FYI: This signature helps identify when a port scan is taking place using the nmap idle feature. If this signature fires at the same time the TCP SYN PORT Sweep, then the source (since flipaddress is true) is the one probing the zombie's IPID. I've tested it several times and it works well... I have to keep the minhits high, around 20-30, and define the source as the web servers and it works great. Thanks for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide