Snort mailing list archives
DOS and gnutella
From: thelupine <thelupine () softhome net>
Date: 07 Aug 2002 20:21:04 -0400
Hello all, I have been using IPTABLES and Snort as a personal firewall and IDS on my server/workstation at home. I am on RoadRunner, and I host some web pages, so that I can easily get to some files and stuff from work. The only ports I have enable through IPTABLES is 8080 (Web) and 22 (SSH). Recently, I decided to install gtk-gnutella, and thought I would have to open port 6346 to allow this traffic. I've done this, and everything is working fine. I am able to download files, and I see others uploading stuff. However, today I recieved this: 08/07-14:26:48.992626 [**] [1:1408:5] DOS MSDTC attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} <sourceIPhere>:6347 -> <myIPhere>:3372 This "attempt" occurred about 6000 times, and stopped when I shut off gnutella. I'm thinking this is a false positive, becuase of the newly added gnutella client. I've never had any kind of message like this before gnutella, and I've had this box up for months now. The source port is a gnutella port, weird how the destination is a Micro$not MSDTC service. I'm sure I have to tweak up my iptable script, and snort.conf, I'm just not exactly sure how. What should I change/add/remove? Thanks in advance, -Lup Here is my iptable "firewall-start" script: #!/bin/sh ################################################################ # # # LocalHost configuration LocalHostInterface="lo" LocalHostIP="127.0.0.1" ################################################################ # # # LAN connection # LANInterface="eth0" ################################################################ # # # IPTABLES Executable IPTABLES="/sbin/iptables" ################################################################ # # # Modules Section #/sbin/depmod -a /sbin/modprobe ipt_LOG /sbin/modprobe ipt_MASQUERADE ################################################################ # # # Default rules setup # Accept loopback interface $IPTABLES -A INPUT -i $LocalHostInterface -j ACCEPT $IPTABLES -A OUTPUT -o $LocalHostInterface -j ACCEPT # Accept known addresses $IPTABLES -A INPUT -s 192.168.1.1 -j ACCEPT $IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT # Accept all outgoing traffic $IPTABLES -A OUTPUT -j ACCEPT # Accept already established connections $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Set default policy action $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP # Setup dynamic ip-addresses echo 2 > /proc/sys/net/ipv4/ip_dynaddr # Allow specifed tcp services $IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT # WWW services $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT # SSH services $IPTABLES -A INPUT -p tcp --dport 6346 -j ACCEPT # Gnutella services # Disallowed connections $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # Log connections $IPTABLES -A INPUT -p ICMP -j LOG --log-prefix "FIREWALL:ATTEMPTED PING " $IPTABLES -A INPUT -p tcp --dport 21 -j LOG --log-prefix "FIREWALL:ATTEMPTED FTP " $IPTABLES -A INPUT -p tcp --dport 80 -j LOG --log-prefix "FIREWALL:ATTEMPTED WWW " $IPTABLES -A INPUT -p tcp --dport 23 -j LOG --log-prefix "FIREWALL:ATTEMPTED TELNET " $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LOG --log-prefix "FIREWALL:ATTEMPTED TRACERT " $IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-prefix "FIREWALL: " # Output results $IPTABLES -L ------------------------------------------------------------------------ ------------------------------------------------------------------------ And here is my snort.conf: ################################################### # Set the variables var HOME_NET $eth1_ADDRESS var EXTERNAL_NET any var HTTP_SERVERS $HOME_NET var SMTP $HOME_NET var DNS_SERVERS [<RoadRunners DNS servers>] var SQL_SERVERS $HOME_NET var RULE_PATH /etc/snort var HTTP_PORTS 8080 # ################################################### # Setup preprocessors preprocessor portscan-ignorehosts: $DNS_SERVERS preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 8080 -unicode -cginull preprocessor unidecode: 8080 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor portscan: $HOME_NET 4 3 /var/log/snort/port-scan.log # #################################################################### # Setup output plugins # #output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast:/var/log/snort/snort-alerts.log output database: log, mysql, user=root password=test dbname=Snort host=localhost output database: alert, mysql, user=root password=test dbname=Snort host=localhost # # Include classification & priority settings # include classification.config # #################################################################### # Setup rule set # # Up to date snort rules are available at http://www.snort.org # #include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/smtp.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/info.rules include $RULE_PATH/virus.rules ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOS and gnutella thelupine (Aug 07)
- Re: DOS and gnutella Ian Macdonald (Aug 07)