[Intrusions] LOGS:GIAC GCIA Version 3.5 Pratical Detect Dante Winslow

[dwinslow at steelersfan.net]

Sam, 

Thanks for your comments. I appreciate your time for reviewing this post and I will be making use of your comments in my assignment 

Looking through the collection of passive fingerprints generated by 
the smart folks who wrote p0f ( http://lcamtuf.coredump.cx/p0f.shtml ) 
it looks like most TTLs are a power of 2 - all the ones I've seen are 
at least 32. If you've got a hop count at 12-15 and started off at 32 
or better yet 64 - I don't see the source system being all that close. 
What made you draw that conclusion? 

My assumption was that since these packets were crafted, their primary purpose is to quickly reach their target or "die" and not to float around on the wire. The small ttls give it an increased effectiveness if the target is reached or some sort security measure if it is not. Similar to the Mission Impossible credo " This message will self destruct in 15 seconds" 

Did you look for packets with a source address of 255.255.255.255 and 
a source port other than 31337? What are the chances this traffic is 
the result of a misconfiguration of some kind? 


 Yes I did check for packets with different sources and in this log file all packets were the same address and source. There have been many reported cases of traffic similar to this back as far as the year 2000. 

Interestingly enough, SANS has a FAQ on the Q trojan. One thing it 
mentions is that the sequence number, acknowledgement number and 
window size are randomly generated. That does not appear to be the 
case here. Perhaps the other alerts are different. Have a look if you 
get a chance: http://www.sans.org/resources/idfaq/qtrojan.php 

I have read it and it was very interesting 



seemly targeted against internal addresses on port 515, normally used by the LPD daemon 
I think you were looking for the word seemingly here. 


Very true I was attempting to use seemingly..Thank you so much