[Snort-users] DOS MSDTC attempt false positive
mkettler at ...4108...
Wed May 8 10:41:29 EDT 2002
That broad a pass rule is probably a bad idea. Basically anyone could
engage an attack on any "high port" service (ie: socks proxy on 1080)
undetected by forcing the source port of there attack to 80 (requires root
privileges on a box not running a port 80 webserver to do, but that's not
hard to come by).
The snort rules themselves do not currently have much "Statefulness" and
cannot directly tell if a packet is part of a session originated by
home_net, or originated outside it. This would be a very nice feature, and
it may be possible to implement something similar using flows (at the
expense of more complicated rules).
I'd probably just edit the MSDTC rule to have a source port !80 instead of any.
Of course, this means that anyone can engage an attack on a MSDTC server in
your network undetected by forcing the source port of the attack to 80, but
it does reduce the false positives.
Heck, if your're smart enough to make sure you have NO systems in your
network vulnerable, or even better, no systems which could have ever been
vulnerable, you can probably safely disable this rule.
DOS attempt detection isn't worth the high false rate IMO, particularly if
it is a DoS you know you're not subject to.
At 01:36 AM 5/9/2002 +1000, Kenny D wrote:
>i am getting numerous DOS false positives such as DOS
>MSDTC and DDOS mstream client to handler where the
>source port is 80 and the destination port is 3372 and
>12754 respectively. These are return packets from an
>established connection ie the destination port is
> >1023. I was thinking of writing a pass rule to ignore
>alerts where source port is 80 and destination port
> >1023. Is this pass rule commonly used or can it make
>me vunerable in any way. A way to ignore return
>packets in established tcp connections would be
>I use snort 1.8.6 on redhat 7.2
>http://messenger.yahoo.com.au - Yahoo! Messenger
>- A great way to communicate long-distance for FREE!
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users