[Snort-users] DOS and gnutella

thelupine thelupine at ...2198...
Wed Aug 7 17:22:10 EDT 2002


Hello all, 

I have been using IPTABLES and Snort as a personal firewall and IDS on
my server/workstation at home.  I am on RoadRunner, and I host some web
pages, so that I can easily get to some files and stuff from work.  The
only ports I have enable through IPTABLES is 8080 (Web) and 22 (SSH).

Recently, I decided to install gtk-gnutella, and thought I would have to
open port 6346 to allow this traffic.  I've done this, and everything is
working fine.  I am able to download files, and I see others uploading
stuff.  However, today I recieved this:

08/07-14:26:48.992626  [**] [1:1408:5] DOS MSDTC attempt [**]
[Classification: Attempted Denial of Service] [Priority: 2] {TCP}
<sourceIPhere>:6347 -> <myIPhere>:3372

This "attempt" occurred about 6000 times, and stopped when I shut off
gnutella.  I'm thinking this is a false positive, becuase of the newly
added gnutella client.  I've never had any kind of message like this
before gnutella, and I've had this box up for months now.  The source
port is a gnutella port, weird how the destination is a Micro$not MSDTC
service.  I'm sure I have to tweak up my iptable script, and snort.conf,
I'm just not exactly sure how.  What should I change/add/remove?

Thanks in advance, 
-Lup

Here is my iptable "firewall-start" script:

#!/bin/sh
################################################################
#
#
# LocalHost configuration

LocalHostInterface="lo"
LocalHostIP="127.0.0.1"

################################################################
#
#
# LAN connection
#
LANInterface="eth0"

################################################################
#
#
# IPTABLES Executable

IPTABLES="/sbin/iptables"

################################################################
#
#
# Modules Section

#/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE

################################################################
#
#
# Default rules setup

# Accept loopback interface
$IPTABLES -A INPUT -i $LocalHostInterface -j ACCEPT
$IPTABLES -A OUTPUT -o $LocalHostInterface -j ACCEPT

# Accept known addresses
$IPTABLES -A INPUT -s 192.168.1.1 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT

# Accept all outgoing traffic
$IPTABLES -A OUTPUT -j ACCEPT

# Accept already established connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Set default policy action
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# Setup dynamic ip-addresses
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# Allow specifed tcp services
$IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT	# WWW services
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT		# SSH services
$IPTABLES -A INPUT -p tcp --dport 6346 -j ACCEPT	# Gnutella services

# Disallowed connections
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Log connections
$IPTABLES -A INPUT -p ICMP -j LOG --log-prefix "FIREWALL:ATTEMPTED PING
"
$IPTABLES -A INPUT -p tcp --dport 21 -j LOG --log-prefix
"FIREWALL:ATTEMPTED FTP "
$IPTABLES -A INPUT -p tcp --dport 80 -j LOG --log-prefix
"FIREWALL:ATTEMPTED WWW "
$IPTABLES -A INPUT -p tcp --dport 23 -j LOG --log-prefix
"FIREWALL:ATTEMPTED TELNET "
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LOG --log-prefix
"FIREWALL:ATTEMPTED TRACERT "
$IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-prefix
"FIREWALL: "

# Output results
$IPTABLES -L

------------------------------------------------------------------------
------------------------------------------------------------------------

And here is my snort.conf:

###################################################
# Set the variables

var HOME_NET $eth1_ADDRESS
var EXTERNAL_NET any
var HTTP_SERVERS $HOME_NET
var SMTP $HOME_NET
var DNS_SERVERS [<RoadRunners DNS servers>]
var SQL_SERVERS $HOME_NET
var RULE_PATH /etc/snort
var HTTP_PORTS 8080

#
###################################################
# Setup preprocessors

preprocessor portscan-ignorehosts: $DNS_SERVERS
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 8080 -unicode -cginull
preprocessor unidecode: 8080 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor portscan: $HOME_NET 4 3 /var/log/snort/port-scan.log

#
####################################################################
# Setup output plugins
#

#output alert_syslog: LOG_AUTH LOG_ALERT
output alert_fast:/var/log/snort/snort-alerts.log
output database: log, mysql, user=root password=test dbname=Snort
host=localhost
output database: alert, mysql, user=root password=test dbname=Snort
host=localhost


#
# Include classification & priority settings
#

include classification.config


#
####################################################################
# Setup rule set
#
# Up to date snort rules are available at http://www.snort.org
#

#include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/info.rules
include $RULE_PATH/virus.rules







More information about the Snort-users mailing list