[Oisf-users] Possible bug with flow tracking engine via config or design

Cooper F. Nelson cnelson at ucsd.edu
Tue Sep 13 17:03:56 UTC 2016

Hi Hovsep,

We've seen this a lot, it's not a bug.

The systems are compromised with a DDOS bot (see the signature flavor
text) and it's the bot CnC traffic that triggered the alert.  So it's no
surprise that you should see the clients participating in a DDOS attack
shortly thereafter.


On 9/9/2016 2:20 PM, Hovsep Levi wrote:
> Hello,
> We recently experienced a DoS attack leaving our network that erroneously
> triggered the 2020381 signature for a number of spoofed IPs, 238 in total.
> In review it seems the signature should not have fired and suggests a
> possible bug in the flow tracking engine by config limits or design.
> The DoS attack was a TCP SYN flood attack with packet size varying between
> 1010 and 1042 and either the SYN flag, SYN+ECE. or SYN+CWR flags set.
> There was no three-way handshake with the target at any time.  Source ports
> were randomized.
> Signature, notice the "established" keyword:
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.XOR
> Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0";
> depth:500; reference:url,
> blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html;
> classtype:trojan-activity; sid:2020381; rev:3;)

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160913/898a85f0/attachment-0002.sig>

More information about the Oisf-users mailing list