AW: [Snort-users] DOS and gnutella

Poppi, Sandro Sandro.Poppi at ...3316...
Wed Aug 7 22:17:04 EDT 2002

> Hello all, 
> I have been using IPTABLES and Snort as a personal firewall and IDS on
> my server/workstation at home.  I am on RoadRunner, and I 
> host some web
> pages, so that I can easily get to some files and stuff from 
> work.  The
> only ports I have enable through IPTABLES is 8080 (Web) and 22 (SSH).
> Recently, I decided to install gtk-gnutella, and thought I 
> would have to
> open port 6346 to allow this traffic.  I've done this, and 
> everything is
> working fine.  I am able to download files, and I see others uploading
> stuff.  However, today I recieved this:
> 08/07-14:26:48.992626  [**] [1:1408:5] DOS MSDTC attempt [**]
> [Classification: Attempted Denial of Service] [Priority: 2] {TCP}
> <sourceIPhere>:6347 -> <myIPhere>:3372
> This "attempt" occurred about 6000 times, and stopped when I shut off
> gnutella.  I'm thinking this is a false positive, becuase of the newly
> added gnutella client.  I've never had any kind of message like this
> before gnutella, and I've had this box up for months now.  The source
> port is a gnutella port, weird how the destination is a 
> Micro$not MSDTC
> service.  I'm sure I have to tweak up my iptable script, and 
> snort.conf,
> I'm just not exactly sure how.  What should I change/add/remove?
Take a look on the signature:

alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt";
flags:A+; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos;
sid:1408; rev:4;)

This tells you that the rule is triggered for an established session to one
of you hosts on port 3372 where the packet size is greater than 1023 bytes.
I would say you had a gnutella download and your ip stack chose to use port
3372 for that connection. This will happen now and then. For me this is a
false positive (which I also receive for various other services because that
rule is really general).

So no change on your iptables would be necessary. Also if you don't have any
windows host running, disabling that rule would do the trick anyway ;)

To verify what I said do a tcpdump of a new gnutella session and you'll see.

So long,

More information about the Snort-users mailing list