Snort mailing list archives
Re: snort rule question..
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 02 May 2002 11:47:17 -0400
Ok, I think you have a bit of a misunderstanding about how smart snort is. "the logic" doesn't classify anything, there are just simple rules which match patterns of behavior against ones which exist in attacks. Most of the snort signatures are (and many have to be) so generic that they will have a tendency to go off for some forms of legitimate traffic.
look at the rule in question.dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; fla gs: A+; dsize: >1445; reference:bugtraq,662; reference:cve,CVE-1999-0788; reference:
arachnids,261; classtype:attempted-dos; sid:282; rev:3;)This will go off for any TCP segment with an Ack bit, that is greater than 1445 byte in length, that is sent to port 617.
This rule is pretty generic, but so is the exploit. From the exploit description of this bugtraq ID on security focus:
"Connect the the port nlservd is listening to and send it a long string. It will crash."
Hence the rule that will match traffic which is relatively ordinary. Arkeia backup would crash if given relatively ordinary (albeit unexpected by the programmer) inputs. The same kind of traffic pattern that would crash Arkeia, is apparently used by Veritas on the same port.
At 03:40 PM 5/1/2002 -0500, Taylor Lewick wrote:
Apparently, Veritas netbackup bpcd (backup plus control daemon) traffic sets off a rule in snort for DOS arkiea backup Classification Attempted Denial of Service...Any idea why the logic would classify this as a denial of service... Does this process flood the port or something? Thanks, Taylor Taylor Lewick Unix System Administrator Fortis Benefits 816 881 6073 "Help Wanted. Seeking Telepath..." "You Know where to apply." **************************************************************** Please Note The information in this E-mail message is legally privileged and confidential information intended only for the use of the individual(s) named above. If you, the reader of this message, are not the intended recipient, you are hereby notified that you should not further disseminate, distribute, or forward this E-mail message. If you have received this E-mail in error, please notify the sender. Thank you ***************************************************************** _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
_______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort rule question.. Taylor Lewick (May 02)
- Re: snort rule question.. Matt Kettler (May 02)