Add signatures for knockknock and fwknop traffic #4

mrash opened this Issue Jan 16, 2012 · 1 comment


None yet

1 participant

mrash commented Jan 16, 2012

Given the behavior of both knockknock and fwknop, it should be possible to write psad signatures to detect both pieces of software. For example, non-zero TCP ACK fields along with non-default TCP window sizes within the TCP SYN packets that knocknock produces should be detectable. For fwknop, looking for the default UDP port of 62201 combined with the minimum expected data length should be a good indicator.

mrash commented Feb 28, 2015

Added support for detecting fwknop SPA packets in 2.2.5, closing this for now.

@mrash mrash closed this Feb 28, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment