[Snort-users] DOS MSDTC attempt false positive
bitored2002 at ...3162...
Wed May 8 10:47:02 EDT 2002
i know im not vunerable to the MSDTC attack so i am
just going to disable that rule however im afraid i
will spend my life adding pass rules for all these DOS
fp's. I suppose i will just have to live with it until
some sort of statefullness is included (if ever).
--- Matt Kettler <mkettler at ...4108...> wrote: > That
broad a pass rule is probably a bad idea.
> Basically anyone could
> engage an attack on any "high port" service (ie:
> socks proxy on 1080)
> undetected by forcing the source port of there
> attack to 80 (requires root
> privileges on a box not running a port 80 webserver
> to do, but that's not
> hard to come by).
> The snort rules themselves do not currently have
> much "Statefulness" and
> cannot directly tell if a packet is part of a
> session originated by
> home_net, or originated outside it. This would be a
> very nice feature, and
> it may be possible to implement something similar
> using flows (at the
> expense of more complicated rules).
> I'd probably just edit the MSDTC rule to have a
> source port !80 instead of any.
> Of course, this means that anyone can engage an
> attack on a MSDTC server in
> your network undetected by forcing the source port
> of the attack to 80, but
> it does reduce the false positives.
> Heck, if your're smart enough to make sure you have
> NO systems in your
> network vulnerable, or even better, no systems which
> could have ever been
> vulnerable, you can probably safely disable this
> DOS attempt detection isn't worth the high false
> rate IMO, particularly if
> it is a DoS you know you're not subject to.
> At 01:36 AM 5/9/2002 +1000, Kenny D wrote:
> >i am getting numerous DOS false positives such as
> >MSDTC and DDOS mstream client to handler where
> >source port is 80 and the destination port is 3372
> >12754 respectively. These are return packets from
> >established connection ie the destination port is
> > >1023. I was thinking of writing a pass rule to
> >alerts where source port is 80 and destination port
> > >1023. Is this pass rule commonly used or can it
> >me vunerable in any way. A way to ignore return
> >packets in established tcp connections would be
> >extremely useful.
> >I use snort 1.8.6 on redhat 7.2
> >http://messenger.yahoo.com.au - Yahoo! Messenger
> >- A great way to communicate long-distance for
> >Have big pipes? SourceForge.net is looking for
> download mirrors. We supply
> >the hardware. You get the recognition. Email Us:
> bandwidth at ...382...
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or
> >Snort-users list archive:
http://messenger.yahoo.com.au - Yahoo! Messenger
- A great way to communicate long-distance for FREE!
More information about the Snort-users