[Dshield] whisker space splice attack -

Tom Liston tliston at premmag.com
Tue Sep 24 20:53:21 GMT 2002


Ed-

This is an "artifact" as best as I can figure.   What happens is that 
when something is persist captured, the "Window Probe" packet 
sometimes falls on a byte that is a space character (depending on 
what you set the initial window size to...) and that space keeps 
getting re-sent with every WinProbe.  (Remember, a generic WinProbe 
packet contains a single byte of data...)  This is what makes snort 
think it's a whisker packet...

-TL


On 19 Sep 2002 at 12:13, Ed Truitt wrote:

> Whenever my LaBrea tarpit persistently captures anything on Port 80, I start seeing a load of those alerts.  I suspect that may be the Win probe being seen.  Most of the Port 80 stuff I have seen in the past is related to Nimda/CR, although I have seen like 3 probes that look like Slapper or 
mod_ssl exploits.
> 
> Regards,
> -EdT.
> 
> 
> On Thu, Sep 19, 2002 at 10:27:17AM +0200, Thomas Nilsen wrote:
> > I assume this has to do with the OpenSSL/slapper worm, but we are seeing
> > something like 500 hits an hour on our Lambrea tarpit host (running against
> > 1 IP), all with the whisker space splice attack (as detected by Snort). The
> > packets are only coming from a few hosts (4 new hosts in the last hour).  We
> > do not see this signatures detected on any of our Apache/OpenSSL hosts.
> > 
> > Can anyone else confirm this?
> > 
> > Best Regards,
> > Thomas Nilsen
> > Kverneland IT
> > Tel: +47 51429463 <> Mob: +47 991 55 001
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
> -- 
> <==============================================================>
> Edward D. (Ed) Truitt
> email:  ed.truitt at etee2k.net      
> http://www.etee2k.net 
> "Note to spammers: my 'delete' key is connected to YOUR ISP. 
> Also, if you send me UCE, I reserve the right to post your spew 
> on my Web site, with the appropriate color commentary, so that 
> others may have a good laugh at your expense."
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list