Snort mailing list archives
change to sid 2189 (PIM) to account for MCAST-NET
From: Jon Hart <warchild () spoofed org>
Date: Sat, 23 Aug 2003 21:48:44 -0400
Greetings, After some new networking gear was brought online, rule sid 2189 went bezerk and alerted quite often. IIRC, it wasn't from the new gear itself, but rather the result of new acls that now allowed multicast traffic to flow a bit more freely on the network(s) in question. They were all going to addresses in the 224.0.0.0/4 network, which is set aside for multicast traffic. Because the exploit requires that the malicious traffic is targeted at a specific device and must "land" there, 'any' as a destination address in sid 2189 was initially sufficient. I've now changed my local rule to not alert on PIM traffic going to the multicast network. There may be a legitimate reason to alert on PIM traffic going to the multicast address, but I certainly can't think of one right now. In snort.conf, I defined a new variable for this network: var MULTICAST_NET 224.0.0.0/4 And tweaked sid 2189 as follows: alert ip any any -> !MULTICAST_NET any (msg:"BAD-TRAFFIC IP Proto 103 (PIM)"; ip_proto:103; reference:bugtraq,8211; reference:cve,CAN-2003-0567; classtype:non-standard-protocol; sid:2189; rev:2;) I'd like to hear people's thoughts on this change, if any. If it can't be changed, I think the documentation for this rule should be changed to note the possibility of high false positives: "Possible. If traffic is destined for 224.0.0.0/4, this is usually indicative of multicast traffic and can be safely ignored provided multicast traffic is common or allowed on your networks." -jon ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- change to sid 2189 (PIM) to account for MCAST-NET Jon Hart (Aug 23)