[Dshield] whisker space splice attack -
tliston at premmag.com
Tue Sep 24 20:53:21 GMT 2002
This is an "artifact" as best as I can figure. What happens is that
when something is persist captured, the "Window Probe" packet
sometimes falls on a byte that is a space character (depending on
what you set the initial window size to...) and that space keeps
getting re-sent with every WinProbe. (Remember, a generic WinProbe
packet contains a single byte of data...) This is what makes snort
think it's a whisker packet...
On 19 Sep 2002 at 12:13, Ed Truitt wrote:
> Whenever my LaBrea tarpit persistently captures anything on Port 80, I start seeing a load of those alerts. I suspect that may be the Win probe being seen. Most of the Port 80 stuff I have seen in the past is related to Nimda/CR, although I have seen like 3 probes that look like Slapper or
> On Thu, Sep 19, 2002 at 10:27:17AM +0200, Thomas Nilsen wrote:
> > I assume this has to do with the OpenSSL/slapper worm, but we are seeing
> > something like 500 hits an hour on our Lambrea tarpit host (running against
> > 1 IP), all with the whisker space splice attack (as detected by Snort). The
> > packets are only coming from a few hosts (4 new hosts in the last hour). We
> > do not see this signatures detected on any of our Apache/OpenSSL hosts.
> > Can anyone else confirm this?
> > Best Regards,
> > Thomas Nilsen
> > Kverneland IT
> > Tel: +47 51429463 <> Mob: +47 991 55 001
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> Edward D. (Ed) Truitt
> email: ed.truitt at etee2k.net
> "Note to spammers: my 'delete' key is connected to YOUR ISP.
> Also, if you send me UCE, I reserve the right to post your spew
> on my Web site, with the appropriate color commentary, so that
> others may have a good laugh at your expense."
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list