Snort mailing list archives

Re: non-standard-protocol : BAD-TRAFFIC IP Proto 103 PIM

From: Gregory S Thomas <greg.thomas () pnl gov>
Date: Thu, 17 May 2007 12:11:35 -0700

We modify the rule to make it less noisy:

var MULTICAST_NET 224.0.0.0/4

alert ip any any -> !$MULTICAST_NET any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; 
reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2189; rev:4;)

Here's the line in oinkmaster.conf that performs the modification:

modifysid 2189 "->\s*any" | "-> !\$MULTICAST_NET"

Cheers,

-- greg

---------- Original Message ----------
Subject: [Snort-users] non-standard-protocol : BAD-TRAFFIC IP Proto 103 PIM
Date: Thu, 17 May 2007 04:21:56 -0700
From: "David Ryan" <David.Ryan () Quintiles com>
To: <snort-users () lists sourceforge net>

Hi all, 

I am seeing loads (like 90% of all events) of these events showing up on 
one of my Snort sensors.  I have looked at the description here - 
_http://www.snort.org/pub-bin/sigs.cgi?sid=2189_ - and I looked at the 
rule definition and it appears to match simply on the existence of IP 
protocol 103 as distinct from any payload within it. 

I see the traffic coming from two known Cisco routers on the subnet I'm 
monitoring and the traffic is destined for 224.0.0.13 which is the 
multicast address for PIM - 
_http://www.networksorcery.com/enp/protocol/pim.htm_  I have also I have 
seen it on other sites and subnets on the network I am monitoring, so I 
guess whatever function is causing this traffic to originate from the 
router is used across the organisation. 

In order to make the output from snort a little more readable (and 
because it is matching on the protocol and not the payload) I have 
disabled this rule.  I know the protocol in question is a 
routing-related protocol, but does anyone have any views or explanation 
on the normal use of this protocol ? 

Thanks, 
David

===========================================

David Ryan
IT Security Engineer, Global IT Security
Quintiles, Global IT - Infrastructure, QDUB

david.ryan () quintiles com
v:  +353-1-819-5186, GMT+0
m: +353-87-124-9108

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

non-standard-protocol : BAD-TRAFFIC IP Proto 103 PIM David Ryan (May 17)
- Re: non-standard-protocol : BAD-TRAFFIC IP Proto 103 PIM doug schmidt (May 17)
  - Re: non-standard-protocol : BAD-TRAFFIC IP Proto 103 PIM doug schmidt (May 17)
- <Possible follow-ups>
- Re: non-standard-protocol : BAD-TRAFFIC IP Proto 103 PIM David Ryan (May 17)
- Re: non-standard-protocol : BAD-TRAFFIC IP Proto 103 PIM Gregory S Thomas (May 17)