[Snort-users] non-standard-protocol : BAD-TRAFFIC IP Proto 103 PIM
Gregory S Thomas
greg.thomas at ...10143...
Thu May 17 15:11:35 EDT 2007
We modify the rule to make it less noisy:
var MULTICAST_NET 220.127.116.11/4
alert ip any any -> !$MULTICAST_NET any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2189; rev:4;)
Here's the line in oinkmaster.conf that performs the modification:
modifysid 2189 "->\s*any" | "-> !\$MULTICAST_NET"
---------- Original Message ----------
Subject: [Snort-users] non-standard-protocol : BAD-TRAFFIC IP Proto 103 PIM
Date: Thu, 17 May 2007 04:21:56 -0700
From: "David Ryan" <David.Ryan at ...13912...>
To: <snort-users at lists.sourceforge.net>
I am seeing loads (like 90% of all events) of these events showing up on
one of my Snort sensors. I have looked at the description here -
_http://www.snort.org/pub-bin/sigs.cgi?sid=2189_ - and I looked at the
rule definition and it appears to match simply on the existence of IP
protocol 103 as distinct from any payload within it.
I see the traffic coming from two known Cisco routers on the subnet I'm
monitoring and the traffic is destined for 18.104.22.168 which is the
multicast address for PIM -
_http://www.networksorcery.com/enp/protocol/pim.htm_ I have also I have
seen it on other sites and subnets on the network I am monitoring, so I
guess whatever function is causing this traffic to originate from the
router is used across the organisation.
In order to make the output from snort a little more readable (and
because it is matching on the protocol and not the payload) I have
disabled this rule. I know the protocol in question is a
routing-related protocol, but does anyone have any views or explanation
on the normal use of this protocol ?
IT Security Engineer, Global IT Security
Quintiles, Global IT - Infrastructure, QDUB
david.ryan at ...14057...
v: +353-1-819-5186, GMT+0
More information about the Snort-users