Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

"Stumbler" Distributed Stealth Scanning Network

Internet Security Systems Security Alert

June 19, 2003

"Stumbler" Distributed Stealth Scanning Network

Synopsis:

X-Force has been tracking reports of suspicious and widespread Internet

traffic with a TCP Window size of 55808. A substantial amount of traffic

captured from sites around the world point to a new distributed port

scanning system. X-Force has analyzed malware that appears to be a client

capable of scanning and receiving network mapping data from other similar

clients distributed across the Internet. X-Force has named this malware,

"Stumbler".

ANYONE KNOW OF AN IDS SIG or CUSTOM sig for this?? Thank you

  • Other Security Subjects
1 REPLY
Bronze

Re: "Stumbler" Distributed Stealth Scanning Network

Cisco IDS does not currently have the ability to identify packets with a specific TCP Window Size of 55808. However, based on the research presented, it is possible to create a custom signature / filter combination to catch the current Stumbler implementations.

1) Create a custom ATOMIC.TCP signature with the following parameters.

DstPort 22

Mask SYN | FIN | URG | PSH | ACK | RST

TcpFlags SYN

2) Create a filter for the custom alarm you created to catch for the destination

IP address "12.108.65.76". Please consult the Cisco IDS documentation for directions on adding a signature filture.

We are looking into adding an enhancement to Cisco IDS to allow for specific TCP Window Sizes to be identified.

94
Views
0
Helpful
1
Replies