[Snort-users] DOS MSDTC attempt false positive

Kenny D bitored2002 at ...3162...
Wed May 8 10:47:02 EDT 2002


Thanks,

i know im not vunerable to the MSDTC attack so i am
just going to disable that rule however im afraid i
will spend my life adding pass rules for all these DOS
fp's. I suppose i will just have to live with it until
some sort of statefullness is included (if ever).

 

--- Matt Kettler <mkettler at ...4108...> wrote: > That
broad a pass rule is probably a bad idea.
> Basically anyone could 
> engage an attack on any "high port" service (ie:
> socks proxy on 1080) 
> undetected by forcing the source port of there
> attack to 80 (requires root 
> privileges on a box not running a port 80 webserver
> to do, but that's not 
> hard to come by).
> 
> The snort rules themselves do not currently have
> much "Statefulness" and 
> cannot directly tell if a packet is part of a
> session originated by 
> home_net, or originated outside it. This would be a
> very nice feature, and 
> it may be possible to implement something similar
> using flows (at the 
> expense of more complicated rules).
> 
> I'd probably just edit the MSDTC rule to have a
> source port !80 instead of any.
> 
> Of course, this means that anyone can engage an
> attack on a MSDTC server in 
> your network undetected by forcing the source port
> of the attack to 80, but 
> it does reduce the false positives.
> 
> Heck, if your're smart enough to make sure you have
> NO systems in your 
> network vulnerable, or even better, no systems which
> could have ever been 
> vulnerable, you can probably safely disable this
> rule.
> 
> DOS attempt detection isn't worth the high false
> rate IMO, particularly if 
> it is a DoS you know you're not subject to.
> 
> 
> At 01:36 AM 5/9/2002 +1000, Kenny D wrote:
> >Hi,
> >
> >
> >i am getting numerous DOS false positives such as
> DOS
> >MSDTC and DDOS mstream client to handler    where
> the
> >source port is 80 and the destination port is 3372
> and
> >12754 respectively. These are return packets from
> an
> >established connection ie the destination port is
> > >1023. I was thinking of writing a pass rule to
> ignore
> >alerts where source port is 80 and destination port
> > >1023. Is this pass rule commonly used or can it
> make
> >me vunerable in any way. A way to ignore return
> >packets in established tcp connections would be
> >extremely useful.
> >
> >I use snort 1.8.6 on redhat 7.2
> >
> >Rgds,
> >
> >Kenny.
> >
> >http://messenger.yahoo.com.au - Yahoo! Messenger
> >- A great way to communicate long-distance for
> FREE!
> >
>
>_______________________________________________________________
> >
> >Have big pipes? SourceForge.net is looking for
> download mirrors. We supply
> >the hardware. You get the recognition. Email Us:
> bandwidth at ...382...
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or
> unsubscribe:
>
>https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
>
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  

http://messenger.yahoo.com.au - Yahoo! Messenger
- A great way to communicate long-distance for FREE!




More information about the Snort-users mailing list