[Snort-sigs] snort-sigs (fwd)

Bill McCarty bmccarty at ...483...
Sun Apr 21 10:18:03 EDT 2002

Hi Snort-Sigs,

I earlier submitted this signature description. As yet, it has not been 
reflected in the on-line database. Did I somehow screw up the submission? 
If so, I'd appreciate feedback. I have other signatures to contribute -- 
including some novel signatures recognizing rootkits -- but don't want to 
clog the process by submitting them badly.


---------- Forwarded Message ----------
Date: Saturday, March 30, 2002 9:48 AM -0800
From: Bill McCarty <bmccarty at ...483...>
To: snort-sigs at lists.sourceforge.net
Subject: snort-sigs

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule:  DOS MSDTC attempt

Sid: 1408

A TCP packet having a large payload was detected. This is a possible
indication of an actual or impending denial of service attack against a
host running the Microsoft Distributed Transaction Service Coordinator


According to Bugtraq, sending such packets to MSDTC can cause the server to
crash, resulting in a host denial of service. Restarting the service will
enable it to resume normal operation.

Detailed Information:

According to Bugtraq, MSDTC is installed by default on Windows 2000. It is
also installed by default with Microsoft SQL Server, versions 6.5 and
later. According to Microsoft TechNet, the service is required by Internet
Information server. The service listens by default on port 3372.

According to the original reporter, Windows 2000 SP2 is vulnerable to this
attack, which does not invariably succeed. The original report was dated
January 31, 2002. As of March 30, 2002, no patch to fix the vulnerability
was known to exist. Moreover, Microsoft was not known to have confirmed the
existence of the problem.

Attack Scenarios:
Under Unix, use /dev/random to generate 1024 bytes of random data and pipe
the data to the target host and port via netcat (Source: SecurityTracker).
The attack does not depend on two-way communication with the victim, so the
source IP address can be spoofed by using a packet crafter.

Ease of Attack:
The attack can be easily mounted, using any tool that can send crafted
packets or Unix commands.

False Positives:
Linux FTP servers and clients frequently transfer TCP packets having a
payload size larger than 1023 bytes. To distinguish a false positive,
determine whether MSDTC is running on the indicated destination source and

False Negatives:
The Snort rule examines only the payload size. Therefore, false negatives
are unlikely unless MSDTC is vulnerable to smaller packets than currently

Corrective Action:
To manage the vulnerability, configure the system not to autmatically start
the MSDTC (Source: Security Operations Guide for Windows 2000 Server).
Alternatively, configure firewall rules to limit access to the service. To
eliminate false positives, revise the Snort rule to specify IP addresses of
only those hosts actually running the service.

Originally reported by palante at ...484...
Snort signature description by bmccarty at ...483...

Additional References:
bugtraq <a
Microsft TechNet <a
curity/tools/iis4cl.asp">Security Operations Guide for Windows 2000
Server</a> <a
hive/transsrv/mtxpg03.asp">How Does MTS Work?</a>
odtechnol/sql/maintain/featusability/c08ppcsq.asp">Linked Servers and
Distributed Transactions</a> <a
curity/prodtech/windows/windows2000/staysecure/secopsb.asp">Default Windows
2000 Services</a> SecurityTracker <a

Bill McCarty

---------- End Forwarded Message ----------

Bill McCarty

More information about the Snort-sigs mailing list