Re: DOS MSDTC attempt false positive

[Kenny D <bitored2002 () yahoo com au>]

Thanks,

i know im not vunerable to the MSDTC attack so i am
just going to disable that rule however im afraid i
will spend my life adding pass rules for all these DOS
fp's. I suppose i will just have to live with it until
some sort of statefullness is included (if ever).

 

--- Matt Kettler <mkettler () evi-inc com> wrote: > That
broad a pass rule is probably a bad idea.
> Basically anyone could 
> engage an attack on any "high port" service (ie:
> socks proxy on 1080) 
> undetected by forcing the source port of there
> attack to 80 (requires root 
> privileges on a box not running a port 80 webserver
> to do, but that's not 
> hard to come by).
>
> The snort rules themselves do not currently have
> much "Statefulness" and 
> cannot directly tell if a packet is part of a
> session originated by 
> home_net, or originated outside it. This would be a
> very nice feature, and 
> it may be possible to implement something similar
> using flows (at the 
> expense of more complicated rules).
>
> I'd probably just edit the MSDTC rule to have a
> source port !80 instead of any.
>
> Of course, this means that anyone can engage an
> attack on a MSDTC server in 
> your network undetected by forcing the source port
> of the attack to 80, but 
> it does reduce the false positives.
>
> Heck, if your're smart enough to make sure you have
> NO systems in your 
> network vulnerable, or even better, no systems which
> could have ever been 
> vulnerable, you can probably safely disable this
> rule.
>
> DOS attempt detection isn't worth the high false
> rate IMO, particularly if 
> it is a DoS you know you're not subject to.
>
>
> At 01:36 AM 5/9/2002 +1000, Kenny D wrote:
> > Hi,
> >
> >
> > i am getting numerous DOS false positives such as
> DOS
> > MSDTC and DDOS mstream client to handler    where
> the
> > source port is 80 and the destination port is 3372
> and
> > 12754 respectively. These are return packets from
> an
> > established connection ie the destination port is
> > > 1023. I was thinking of writing a pass rule to
> ignore
> > alerts where source port is 80 and destination port
> > > 1023. Is this pass rule commonly used or can it
> make
> > me vunerable in any way. A way to ignore return
> > packets in established tcp connections would be
> > extremely useful.
> >
> > I use snort 1.8.6 on redhat 7.2
> >
> > Rgds,
> >
> > Kenny.
> >
> > http://messenger.yahoo.com.au - Yahoo! Messenger
> > - A great way to communicate long-distance for
> FREE!
> >
>
> _______________________________________________________________
> > Have big pipes? SourceForge.net is looking for
> download mirrors. We supply
> > the hardware. You get the recognition. Email Us:
> bandwidth () sourceforge net
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or
> unsubscribe:
>
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  

http://messenger.yahoo.com.au - Yahoo! Messenger
- A great way to communicate long-distance for FREE!

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users