[Oisf-users] Possible bug with flow tracking engine via config or design
Cooper F. Nelson
cnelson at ucsd.edu
Tue Sep 13 17:03:56 UTC 2016
Hi Hovsep,
We've seen this a lot, it's not a bug.
The systems are compromised with a DDOS bot (see the signature flavor
text) and it's the bot CnC traffic that triggered the alert. So it's no
surprise that you should see the clients participating in a DDOS attack
shortly thereafter.
-Coop
On 9/9/2016 2:20 PM, Hovsep Levi wrote:
> Hello,
>
>
> We recently experienced a DoS attack leaving our network that erroneously
> triggered the 2020381 signature for a number of spoofed IPs, 238 in total.
> In review it seems the signature should not have fired and suggests a
> possible bug in the flow tracking engine by config limits or design.
>
>
> The DoS attack was a TCP SYN flood attack with packet size varying between
> 1010 and 1042 and either the SYN flag, SYN+ECE. or SYN+CWR flags set.
> There was no three-way handshake with the target at any time. Source ports
> were randomized.
>
>
> Signature, notice the "established" keyword:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.XOR
> Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0";
> depth:500; reference:url,
> blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html;
> classtype:trojan-activity; sid:2020381; rev:3;)
>
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160913/898a85f0/attachment-0002.sig>
More information about the Oisf-users
mailing list