Re: snort rule question..

[Matt Kettler <mkettler () evi-inc com>]

Ok, I think you have a bit of a misunderstanding about how smart snort is. 
"the logic" doesn't classify anything, there are just simple rules which 
match patterns of behavior against ones which exist in attacks. Most of the 
snort signatures are (and many have to be) so generic that they will have a 
tendency to go off for some forms of legitimate traffic.

look at the rule in question.

dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea 
backup"; fla
gs: A+; dsize: >1445; reference:bugtraq,662; reference:cve,CVE-1999-0788; 
reference:
arachnids,261; classtype:attempted-dos; sid:282; rev:3;)

This will go off for any TCP segment with an Ack bit, that is greater than 
1445 byte in length, that is sent to port 617.

This rule is pretty generic, but so is the exploit. From the exploit 
description of this bugtraq ID on security focus:

"Connect the the port nlservd is listening to and send it a long string. It 
will crash."

Hence the rule that will match traffic which is relatively ordinary. Arkeia 
backup would crash if given relatively ordinary (albeit unexpected by the 
programmer) inputs. The same kind of traffic pattern that would crash 
Arkeia, is apparently used by Veritas on the same port.


At 03:40 PM 5/1/2002 -0500, Taylor Lewick wrote:
> Apparently, Veritas netbackup bpcd (backup plus control daemon) traffic 
> sets off a rule in snort for DOS arkiea backup Classification Attempted 
> Denial of Service...
>
> Any idea why the logic would classify this as a denial of service...
> Does this process flood the port or something?
>
> Thanks,
> Taylor
>
> Taylor Lewick
> Unix System Administrator
> Fortis Benefits
> 816 881 6073
>
> "Help Wanted.  Seeking Telepath..."
> "You Know where to apply."
>
> ****************************************************************
>                         Please Note
> The information in this E-mail message is legally privileged
> and confidential information intended only for the use of the
> individual(s) named above. If you, the reader of this message,
> are not the intended recipient, you are hereby notified that
> you should not further disseminate, distribute, or forward this
> E-mail message. If you have received this E-mail in error,
> please notify the sender. Thank you
> *****************************************************************
>
> _______________________________________________________________
>
> Have big pipes? SourceForge.net is looking for download mirrors. We supply
> the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users