Additional notes on Stumbler.

Published: 2003-06-23
Last Updated: 2003-06-23 21:34:18 UTC
by Handlers (Version: 1)
0 comment(s)
this is an addition to yesterdays diary:

http://isc.sans.org/diary.html?date=2003-06-22

To detect these packets with Snort, Brian Coyle has provided a Snort rule:

alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00";

flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2;

reference:url,cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00146.html;

reference:url,www.gcn.com/vol1_no1/daily-updates/22371-1.html;

reference:url,www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0;)
To capture the packets, tcpdump can be used:

tcpdump -i eth0 -np -s 1500 -w /root/tcp-5508 'tcp[14:2] = 55808'

Adjust "eth0" to be your primary network device.

Here are some additional links to Stumbler articles and pages:

http://news.com.com/2100-1002_3-1019759.html

http://www.eweek.com/article2/0,3959,1130754,00.asp

http://www.gcn.com/vol1_no1/daily-updates/22371-1.html

http://www.informationweek.com/story/showArticle.jhtml?articleID=10700645

http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=10700746

http://www.lancope.com/news/Virus_Alert_Trojan.htm

http://securityfocus.com/archive/1/326149/2003-06-19/2003-06-25/0

http://www.securityfocus.com/archive/75/324348/2003-06-09/2003-06-15/0

http://www.theregister.co.uk/content/55/31341.html

Keywords:
0 comment(s)

Comments


Diary Archives