[Snort-sigs] SID 275: Eats CPU

Erek Adams erek at ...95...
Wed Apr 2 05:01:13 EST 2003


On Wed, 2 Apr 2003, [iso-8859-1] Lars Jørgensen IT wrote:

> One of my snort boxes was becoming bogged down by traffic (we're on a pretty
> loaded 100Mbps link to the Internet here). I started going through the rules
> to find the CPU intensive ones and get rid of them if possible.
>
> Once I disabled SID 275 ("DOS NAPHTA" from dos.rules) the CPU load fell from
> +98% to about 50-60%.
>
> Other people might benefit from this knowledge. Maybe there's even a
> possibility to rewrite the rule.

I really don't think that rule is CPU intensive.  I think you're having a
Naphta DOS running to or from your network.  Have a look at the rule:

  alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flags:S;
  seq: 6060842; id: 413; reference:cve,CAN-2000-1039;
  reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.asp;
  reference:url,www.cert.org/advisories/CA-2000-21.html;
  reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html;
  reference:bugtraq,2022; classtype:attempted-dos; sid:275; rev:4;)

The last four lines have nothing to do with the sig itself, as they are
just refs.  The sig really consists of just two parts.  flags:S and seq
6060842.  It's just looking for a packet with the static sequence number
of 6060842 with a SYN flag set.  Nothing there that really would eat CPU.

Enable the rule, and see what happens to your load.  If it spikes again,
check your traffic and see if you have any packets with that sequence
number coming in or going out.  I'm guessing you'll find them....

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-sigs mailing list