[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: Re: [Bleeding-sigs] Scans with window of 55808
From: Matt Jonkman <jonkman () bleedingthreats ! net>
Date: 2007-05-02 13:37:43
Message-ID: 46389427.3050803 () bleedingthreats ! net
[Download RAW message or body]
Sorry, supposed to be 2182. Not 2018.
Matt
Matt Jonkman wrote:
> As noted, this is related to snort gpl rule 2018 to some degree, but
> 2018 is in the deleted ruleset and marked as related to the typot trojan.
>
> Could be similar, but we'll have to see.
>
> matt
>
> Matt Jonkman wrote:
>> Per the isc entry here: http://isc.sans.org/diary.html?n&storyid=2717
>>
>> alert tcp any any -> any any (msg:"BLEEDING-EDGE CURRENT EVENTS Traffic
>> with a window of 55808 - Unknown likely hostile scanning - Please report
>> hits to Bleeding Edge or ISC"; window:55808; classtype:attempted-recon;
>> reference:url,isc.sans.org/diary.html?n&storyid=2717;
>> reference:url,www.cert.org/current/archive/2003/06/25/archive.html;
>> sid:2003633; rev:1;)
>>
>> I didn't put a port in there, even though the isc entry notes vnc
>> traffic specifically. I suspect that this may be a lead to more general
>> scan activity. Time will tell.
>>
>> Load should be minor even though it looks like a bad rule. No matching,
>> just header filtering.
>>
>> Please report any hits here, to bleeding@bleedingthreats.net, or to ISC.
>>
>> Please quickly let me know if this hits frequently and needs a threshold.
>>
>> matt
>>
>>
>
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
http://www.bleedingthreats.net
--------------------------------------------
PGP: http://www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic