[Snort-users] DOS and gnutella

Ian Macdonald secsnort at ...5528...
Wed Aug 7 20:20:02 EDT 2002


This might be best asked on the snort signatures mailinglist. Since
you asked here this is what you
need to do. Find the rule in the snort rules set. Bring up the DOS file
and look for MSDTC.

alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt";
flow:to_server,established; dsize:>1023; reference:bugtraq,4006;
classtype:attempted-dos; sid:1408;  rev:5;)


So this triggers on traffic to 3372 that is larger than 1023 bytes?
charactes? and is coming from the server on an established connection.

Acording to the alert listed below you had a connection
from <sourceIPhere>:6347 going to <myIPhere>:3372 are you sure you opened
up port 6346 rather than port 3372?

Ian

On 7 Aug 2002, thelupine wrote:

> Hello all,
>
> I have been using IPTABLES and Snort as a personal firewall and IDS on
> my server/workstation at home.  I am on RoadRunner, and I host some web
> pages, so that I can easily get to some files and stuff from work.  The
> only ports I have enable through IPTABLES is 8080 (Web) and 22 (SSH).
>
> Recently, I decided to install gtk-gnutella, and thought I would have to
> open port 6346 to allow this traffic.  I've done this, and everything is
> working fine.  I am able to download files, and I see others uploading
> stuff.  However, today I recieved this:
>
> 08/07-14:26:48.992626  [**] [1:1408:5] DOS MSDTC attempt [**]
> [Classification: Attempted Denial of Service] [Priority: 2] {TCP}
> <sourceIPhere>:6347 -> <myIPhere>:3372
>
> This "attempt" occurred about 6000 times, and stopped when I shut off
> gnutella.  I'm thinking this is a false positive, becuase of the newly
> added gnutella client.  I've never had any kind of message like this
> before gnutella, and I've had this box up for months now.  The source
> port is a gnutella port, weird how the destination is a Micro$not MSDTC
> service.  I'm sure I have to tweak up my iptable script, and snort.conf,
> I'm just not exactly sure how.  What should I change/add/remove?
>
> Thanks in advance,
> -Lup
>
> Here is my iptable "firewall-start" script:
>
> #!/bin/sh
> ################################################################
> #
> #
> # LocalHost configuration
>
> LocalHostInterface="lo"
> LocalHostIP="127.0.0.1"
>
> ################################################################
> #
> #
> # LAN connection
> #
> LANInterface="eth0"
>
> ################################################################
> #
> #
> # IPTABLES Executable
>
> IPTABLES="/sbin/iptables"
>
> ################################################################
> #
> #
> # Modules Section
>
> #/sbin/depmod -a
> /sbin/modprobe ipt_LOG
> /sbin/modprobe ipt_MASQUERADE
>
> ################################################################
> #
> #
> # Default rules setup
>
> # Accept loopback interface
> $IPTABLES -A INPUT -i $LocalHostInterface -j ACCEPT
> $IPTABLES -A OUTPUT -o $LocalHostInterface -j ACCEPT
>
> # Accept known addresses
> $IPTABLES -A INPUT -s 192.168.1.1 -j ACCEPT
> $IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT
>
> # Accept all outgoing traffic
> $IPTABLES -A OUTPUT -j ACCEPT
>
> # Accept already established connections
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Set default policy action
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD DROP
>
> # Setup dynamic ip-addresses
> echo 2 > /proc/sys/net/ipv4/ip_dynaddr
>
> # Allow specifed tcp services
> $IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT	# WWW services
> $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT		# SSH services
> $IPTABLES -A INPUT -p tcp --dport 6346 -j ACCEPT	# Gnutella services
>
> # Disallowed connections
> $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
> $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
> $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
> $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
> $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
>
> # Log connections
> $IPTABLES -A INPUT -p ICMP -j LOG --log-prefix "FIREWALL:ATTEMPTED PING
> "
> $IPTABLES -A INPUT -p tcp --dport 21 -j LOG --log-prefix
> "FIREWALL:ATTEMPTED FTP "
> $IPTABLES -A INPUT -p tcp --dport 80 -j LOG --log-prefix
> "FIREWALL:ATTEMPTED WWW "
> $IPTABLES -A INPUT -p tcp --dport 23 -j LOG --log-prefix
> "FIREWALL:ATTEMPTED TELNET "
> $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LOG --log-prefix
> "FIREWALL:ATTEMPTED TRACERT "
> $IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-prefix
> "FIREWALL: "
>
> # Output results
> $IPTABLES -L
>
> ------------------------------------------------------------------------
> ------------------------------------------------------------------------
>
> And here is my snort.conf:
>
> ###################################################
> # Set the variables
>
> var HOME_NET $eth1_ADDRESS
> var EXTERNAL_NET any
> var HTTP_SERVERS $HOME_NET
> var SMTP $HOME_NET
> var DNS_SERVERS [<RoadRunners DNS servers>]
> var SQL_SERVERS $HOME_NET
> var RULE_PATH /etc/snort
> var HTTP_PORTS 8080
>
> #
> ###################################################
> # Setup preprocessors
>
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> preprocessor frag2
> preprocessor stream4: detect_scans
> preprocessor stream4_reassemble
> preprocessor http_decode: 8080 -unicode -cginull
> preprocessor unidecode: 8080 -unicode -cginull
> preprocessor rpc_decode: 111 32771
> preprocessor bo: -nobrute
> preprocessor portscan: $HOME_NET 4 3 /var/log/snort/port-scan.log
>
> #
> ####################################################################
> # Setup output plugins
> #
>
> #output alert_syslog: LOG_AUTH LOG_ALERT
> output alert_fast:/var/log/snort/snort-alerts.log
> output database: log, mysql, user=root password=test dbname=Snort
> host=localhost
> output database: alert, mysql, user=root password=test dbname=Snort
> host=localhost
>
>
> #
> # Include classification & priority settings
> #
>
> include classification.config
>
>
> #
> ####################################################################
> # Setup rule set
> #
> # Up to date snort rules are available at http://www.snort.org
> #
>
> #include $RULE_PATH/local.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/icmp-info.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/backdoor.rules
> include $RULE_PATH/info.rules
> include $RULE_PATH/virus.rules
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list