[Snort-sigs] change to sid 2189 (PIM) to account for MCAST-NET
warchild at ...288...
Sat Aug 23 18:49:18 EDT 2003
After some new networking gear was brought online, rule sid 2189 went
bezerk and alerted quite often. IIRC, it wasn't from the new gear
itself, but rather the result of new acls that now allowed multicast
traffic to flow a bit more freely on the network(s) in question. They
were all going to addresses in the 18.104.22.168/4 network, which is set
aside for multicast traffic.
Because the exploit requires that the malicious traffic is targeted at a
specific device and must "land" there, 'any' as a destination address in
sid 2189 was initially sufficient. I've now changed my local rule to
not alert on PIM traffic going to the multicast network.
There may be a legitimate reason to alert on PIM traffic going to the
multicast address, but I certainly can't think of one right now.
In snort.conf, I defined a new variable for this network:
var MULTICAST_NET 22.214.171.124/4
And tweaked sid 2189 as follows:
alert ip any any -> !MULTICAST_NET any (msg:"BAD-TRAFFIC IP Proto 103 (PIM)";
ip_proto:103; reference:bugtraq,8211; reference:cve,CAN-2003-0567;
classtype:non-standard-protocol; sid:2189; rev:2;)
I'd like to hear people's thoughts on this change, if any. If it can't
be changed, I think the documentation for this rule should be changed to
note the possibility of high false positives:
"Possible. If traffic is destined for 126.96.36.199/4, this is usually
indicative of multicast traffic and can be safely ignored provided
multicast traffic is common or allowed on your networks."
More information about the Snort-sigs