Snort mailing list archives
Re: DOS and gnutella
From: Ian Macdonald <secsnort () dirk demon co uk>
Date: Wed, 7 Aug 2002 23:16:58 -0400 (EDT)
This might be best asked on the snort signatures mailinglist. Since you asked here this is what you need to do. Find the rule in the snort rules set. Bring up the DOS file and look for MSDTC. alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flow:to_server,established; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos; sid:1408; rev:5;) So this triggers on traffic to 3372 that is larger than 1023 bytes? charactes? and is coming from the server on an established connection. Acording to the alert listed below you had a connection from <sourceIPhere>:6347 going to <myIPhere>:3372 are you sure you opened up port 6346 rather than port 3372? Ian On 7 Aug 2002, thelupine wrote:
Hello all, I have been using IPTABLES and Snort as a personal firewall and IDS on my server/workstation at home. I am on RoadRunner, and I host some web pages, so that I can easily get to some files and stuff from work. The only ports I have enable through IPTABLES is 8080 (Web) and 22 (SSH). Recently, I decided to install gtk-gnutella, and thought I would have to open port 6346 to allow this traffic. I've done this, and everything is working fine. I am able to download files, and I see others uploading stuff. However, today I recieved this: 08/07-14:26:48.992626 [**] [1:1408:5] DOS MSDTC attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} <sourceIPhere>:6347 -> <myIPhere>:3372 This "attempt" occurred about 6000 times, and stopped when I shut off gnutella. I'm thinking this is a false positive, becuase of the newly added gnutella client. I've never had any kind of message like this before gnutella, and I've had this box up for months now. The source port is a gnutella port, weird how the destination is a Micro$not MSDTC service. I'm sure I have to tweak up my iptable script, and snort.conf, I'm just not exactly sure how. What should I change/add/remove? Thanks in advance, -Lup Here is my iptable "firewall-start" script: #!/bin/sh ################################################################ # # # LocalHost configuration LocalHostInterface="lo" LocalHostIP="127.0.0.1" ################################################################ # # # LAN connection # LANInterface="eth0" ################################################################ # # # IPTABLES Executable IPTABLES="/sbin/iptables" ################################################################ # # # Modules Section #/sbin/depmod -a /sbin/modprobe ipt_LOG /sbin/modprobe ipt_MASQUERADE ################################################################ # # # Default rules setup # Accept loopback interface $IPTABLES -A INPUT -i $LocalHostInterface -j ACCEPT $IPTABLES -A OUTPUT -o $LocalHostInterface -j ACCEPT # Accept known addresses $IPTABLES -A INPUT -s 192.168.1.1 -j ACCEPT $IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT # Accept all outgoing traffic $IPTABLES -A OUTPUT -j ACCEPT # Accept already established connections $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Set default policy action $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP # Setup dynamic ip-addresses echo 2 > /proc/sys/net/ipv4/ip_dynaddr # Allow specifed tcp services $IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT # WWW services $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT # SSH services $IPTABLES -A INPUT -p tcp --dport 6346 -j ACCEPT # Gnutella services # Disallowed connections $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # Log connections $IPTABLES -A INPUT -p ICMP -j LOG --log-prefix "FIREWALL:ATTEMPTED PING " $IPTABLES -A INPUT -p tcp --dport 21 -j LOG --log-prefix "FIREWALL:ATTEMPTED FTP " $IPTABLES -A INPUT -p tcp --dport 80 -j LOG --log-prefix "FIREWALL:ATTEMPTED WWW " $IPTABLES -A INPUT -p tcp --dport 23 -j LOG --log-prefix "FIREWALL:ATTEMPTED TELNET " $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LOG --log-prefix "FIREWALL:ATTEMPTED TRACERT " $IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-prefix "FIREWALL: " # Output results $IPTABLES -L ------------------------------------------------------------------------ ------------------------------------------------------------------------ And here is my snort.conf: ################################################### # Set the variables var HOME_NET $eth1_ADDRESS var EXTERNAL_NET any var HTTP_SERVERS $HOME_NET var SMTP $HOME_NET var DNS_SERVERS [<RoadRunners DNS servers>] var SQL_SERVERS $HOME_NET var RULE_PATH /etc/snort var HTTP_PORTS 8080 # ################################################### # Setup preprocessors preprocessor portscan-ignorehosts: $DNS_SERVERS preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 8080 -unicode -cginull preprocessor unidecode: 8080 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor portscan: $HOME_NET 4 3 /var/log/snort/port-scan.log # #################################################################### # Setup output plugins # #output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast:/var/log/snort/snort-alerts.log output database: log, mysql, user=root password=test dbname=Snort host=localhost output database: alert, mysql, user=root password=test dbname=Snort host=localhost # # Include classification & priority settings # include classification.config # #################################################################### # Setup rule set # # Up to date snort rules are available at http://www.snort.org # #include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/smtp.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/info.rules include $RULE_PATH/virus.rules ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOS and gnutella thelupine (Aug 07)
- Re: DOS and gnutella Ian Macdonald (Aug 07)