[Snort-users] snort rule question..

Matt Kettler mkettler at ...4108...
Thu May 2 08:46:02 EDT 2002

Ok, I think you have a bit of a misunderstanding about how smart snort is. 
"the logic" doesn't classify anything, there are just simple rules which 
match patterns of behavior against ones which exist in attacks. Most of the 
snort signatures are (and many have to be) so generic that they will have a 
tendency to go off for some forms of legitimate traffic.

look at the rule in question.

dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea 
backup"; fla
gs: A+; dsize: >1445; reference:bugtraq,662; reference:cve,CVE-1999-0788; 
arachnids,261; classtype:attempted-dos; sid:282; rev:3;)

This will go off for any TCP segment with an Ack bit, that is greater than 
1445 byte in length, that is sent to port 617.

This rule is pretty generic, but so is the exploit. From the exploit 
description of this bugtraq ID on security focus:

"Connect the the port nlservd is listening to and send it a long string. It 
will crash."

Hence the rule that will match traffic which is relatively ordinary. Arkeia 
backup would crash if given relatively ordinary (albeit unexpected by the 
programmer) inputs. The same kind of traffic pattern that would crash 
Arkeia, is apparently used by Veritas on the same port.

At 03:40 PM 5/1/2002 -0500, Taylor Lewick wrote:
>Apparently, Veritas netbackup bpcd (backup plus control daemon) traffic 
>sets off a rule in snort for DOS arkiea backup Classification Attempted 
>Denial of Service...
>Any idea why the logic would classify this as a denial of service...
>Does this process flood the port or something?
>Taylor Lewick
>Unix System Administrator
>Fortis Benefits
>816 881 6073
>"Help Wanted.  Seeking Telepath..."
>"You Know where to apply."
>                         Please Note
>The information in this E-mail message is legally privileged
>and confidential information intended only for the use of the
>individual(s) named above. If you, the reader of this message,
>are not the intended recipient, you are hereby notified that
>you should not further disseminate, distribute, or forward this
>E-mail message. If you have received this E-mail in error,
>please notify the sender. Thank you
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list