[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bleeding-sigs
Subject:    Re: [Bleeding-sigs] Scans with window of 55808
From:       Matt Jonkman <jonkman () bleedingthreats ! net>
Date:       2007-05-02 13:37:43
Message-ID: 46389427.3050803 () bleedingthreats ! net
[Download RAW message or body]

Sorry, supposed to be 2182. Not 2018.

Matt

Matt Jonkman wrote:
> As noted, this is related to snort gpl rule 2018 to some degree, but
> 2018 is in the deleted ruleset and marked as related to the typot trojan.
> 
> Could be similar, but we'll have to see.
> 
> matt
> 
> Matt Jonkman wrote:
>> Per the isc entry here: http://isc.sans.org/diary.html?n&storyid=2717
>>
>> alert tcp any any -> any any (msg:"BLEEDING-EDGE CURRENT EVENTS Traffic
>> with a window of 55808 - Unknown likely hostile scanning - Please report
>> hits to Bleeding Edge or ISC"; window:55808; classtype:attempted-recon;
>> reference:url,isc.sans.org/diary.html?n&storyid=2717;
>> reference:url,www.cert.org/current/archive/2003/06/25/archive.html;
>> sid:2003633; rev:1;)
>>
>> I didn't put a port in there, even though the isc entry notes vnc
>> traffic specifically. I suspect that this may be a lead to more general
>> scan activity. Time will tell.
>>
>> Load should be minor even though it looks like a bad rule. No matching,
>> just header filtering.
>>
>> Please report any hits here, to bleeding@bleedingthreats.net, or to ISC.
>>
>> Please quickly let me know if this hits frequently and needs a threshold.
>>
>> matt
>>
>>
> 

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]