Snort mailing list archives
Re: DOS MSDTC attempt false positive
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 08 May 2002 13:43:20 -0400
That broad a pass rule is probably a bad idea. Basically anyone could engage an attack on any "high port" service (ie: socks proxy on 1080) undetected by forcing the source port of there attack to 80 (requires root privileges on a box not running a port 80 webserver to do, but that's not hard to come by).
The snort rules themselves do not currently have much "Statefulness" and cannot directly tell if a packet is part of a session originated by home_net, or originated outside it. This would be a very nice feature, and it may be possible to implement something similar using flows (at the expense of more complicated rules).
I'd probably just edit the MSDTC rule to have a source port !80 instead of any.Of course, this means that anyone can engage an attack on a MSDTC server in your network undetected by forcing the source port of the attack to 80, but it does reduce the false positives.
Heck, if your're smart enough to make sure you have NO systems in your network vulnerable, or even better, no systems which could have ever been vulnerable, you can probably safely disable this rule.
DOS attempt detection isn't worth the high false rate IMO, particularly if it is a DoS you know you're not subject to.
At 01:36 AM 5/9/2002 +1000, Kenny D wrote:
Hi, i am getting numerous DOS false positives such as DOS MSDTC and DDOS mstream client to handler where the source port is 80 and the destination port is 3372 and 12754 respectively. These are return packets from an established connection ie the destination port is >1023. I was thinking of writing a pass rule to ignore alerts where source port is 80 and destination port >1023. Is this pass rule commonly used or can it make me vunerable in any way. A way to ignore return packets in established tcp connections would be extremely useful. I use snort 1.8.6 on redhat 7.2 Rgds, Kenny. http://messenger.yahoo.com.au - Yahoo! Messenger - A great way to communicate long-distance for FREE! _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOS MSDTC attempt false positive Kenny D (May 08)
- Re: DOS MSDTC attempt false positive Matt Kettler (May 08)
- Re: DOS MSDTC attempt false positive Kenny D (May 08)
- Re: DOS MSDTC attempt false positive Roberto Suarez Soto (May 09)
- Re: DOS MSDTC attempt false positive Bill McCarty (May 10)
- Re: DOS MSDTC attempt false positive Matt Kettler (May 11)
- Re: DOS MSDTC attempt false positive Matt Kettler (May 11)
- Re: DOS MSDTC attempt false positive Bill McCarty (May 11)
- Re: DOS MSDTC attempt false positive Matt Kettler (May 08)