[Snort-users] DOS MSDTC attempt false positive

Matt Kettler mkettler at ...4108...
Wed May 8 10:41:29 EDT 2002

That broad a pass rule is probably a bad idea. Basically anyone could 
engage an attack on any "high port" service (ie: socks proxy on 1080) 
undetected by forcing the source port of there attack to 80 (requires root 
privileges on a box not running a port 80 webserver to do, but that's not 
hard to come by).

The snort rules themselves do not currently have much "Statefulness" and 
cannot directly tell if a packet is part of a session originated by 
home_net, or originated outside it. This would be a very nice feature, and 
it may be possible to implement something similar using flows (at the 
expense of more complicated rules).

I'd probably just edit the MSDTC rule to have a source port !80 instead of any.

Of course, this means that anyone can engage an attack on a MSDTC server in 
your network undetected by forcing the source port of the attack to 80, but 
it does reduce the false positives.

Heck, if your're smart enough to make sure you have NO systems in your 
network vulnerable, or even better, no systems which could have ever been 
vulnerable, you can probably safely disable this rule.

DOS attempt detection isn't worth the high false rate IMO, particularly if 
it is a DoS you know you're not subject to.

At 01:36 AM 5/9/2002 +1000, Kenny D wrote:
>i am getting numerous DOS false positives such as DOS
>MSDTC and DDOS mstream client to handler    where the
>source port is 80 and the destination port is 3372 and
>12754 respectively. These are return packets from an
>established connection ie the destination port is
> >1023. I was thinking of writing a pass rule to ignore
>alerts where source port is 80 and destination port
> >1023. Is this pass rule commonly used or can it make
>me vunerable in any way. A way to ignore return
>packets in established tcp connections would be
>extremely useful.
>I use snort 1.8.6 on redhat 7.2
>http://messenger.yahoo.com.au - Yahoo! Messenger
>- A great way to communicate long-distance for FREE!
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list