Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DOS and gnutella

From: Ian Macdonald <secsnort () dirk demon co uk>
Date: Wed, 7 Aug 2002 23:16:58 -0400 (EDT)
This might be best asked on the snort signatures mailinglist. Since
you asked here this is what you
need to do. Find the rule in the snort rules set. Bring up the DOS file
and look for MSDTC.

alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt";
flow:to_server,established; dsize:>1023; reference:bugtraq,4006;
classtype:attempted-dos; sid:1408;  rev:5;)


So this triggers on traffic to 3372 that is larger than 1023 bytes?
charactes? and is coming from the server on an established connection.

Acording to the alert listed below you had a connection
from <sourceIPhere>:6347 going to <myIPhere>:3372 are you sure you opened
up port 6346 rather than port 3372?

Ian

On 7 Aug 2002, thelupine wrote:


Hello all,

I have been using IPTABLES and Snort as a personal firewall and IDS on
my server/workstation at home.  I am on RoadRunner, and I host some web
pages, so that I can easily get to some files and stuff from work.  The
only ports I have enable through IPTABLES is 8080 (Web) and 22 (SSH).

Recently, I decided to install gtk-gnutella, and thought I would have to
open port 6346 to allow this traffic.  I've done this, and everything is
working fine.  I am able to download files, and I see others uploading
stuff.  However, today I recieved this:

08/07-14:26:48.992626  [**] [1:1408:5] DOS MSDTC attempt [**]
[Classification: Attempted Denial of Service] [Priority: 2] {TCP}
<sourceIPhere>:6347 -> <myIPhere>:3372

This "attempt" occurred about 6000 times, and stopped when I shut off
gnutella.  I'm thinking this is a false positive, becuase of the newly
added gnutella client.  I've never had any kind of message like this
before gnutella, and I've had this box up for months now.  The source
port is a gnutella port, weird how the destination is a Micro$not MSDTC
service.  I'm sure I have to tweak up my iptable script, and snort.conf,
I'm just not exactly sure how.  What should I change/add/remove?

Thanks in advance,
-Lup

Here is my iptable "firewall-start" script:

#!/bin/sh
################################################################
#
#
# LocalHost configuration

LocalHostInterface="lo"
LocalHostIP="127.0.0.1"

################################################################
#
#
# LAN connection
#
LANInterface="eth0"

################################################################
#
#
# IPTABLES Executable

IPTABLES="/sbin/iptables"

################################################################
#
#
# Modules Section

#/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE

################################################################
#
#
# Default rules setup

# Accept loopback interface
$IPTABLES -A INPUT -i $LocalHostInterface -j ACCEPT
$IPTABLES -A OUTPUT -o $LocalHostInterface -j ACCEPT

# Accept known addresses
$IPTABLES -A INPUT -s 192.168.1.1 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT

# Accept all outgoing traffic
$IPTABLES -A OUTPUT -j ACCEPT

# Accept already established connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Set default policy action
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# Setup dynamic ip-addresses
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# Allow specifed tcp services
$IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT      # WWW services
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT                # SSH services
$IPTABLES -A INPUT -p tcp --dport 6346 -j ACCEPT      # Gnutella services

# Disallowed connections
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Log connections
$IPTABLES -A INPUT -p ICMP -j LOG --log-prefix "FIREWALL:ATTEMPTED PING
"
$IPTABLES -A INPUT -p tcp --dport 21 -j LOG --log-prefix
"FIREWALL:ATTEMPTED FTP "
$IPTABLES -A INPUT -p tcp --dport 80 -j LOG --log-prefix
"FIREWALL:ATTEMPTED WWW "
$IPTABLES -A INPUT -p tcp --dport 23 -j LOG --log-prefix
"FIREWALL:ATTEMPTED TELNET "
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LOG --log-prefix
"FIREWALL:ATTEMPTED TRACERT "
$IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-prefix
"FIREWALL: "

# Output results
$IPTABLES -L

------------------------------------------------------------------------
------------------------------------------------------------------------

And here is my snort.conf:

###################################################
# Set the variables

var HOME_NET $eth1_ADDRESS
var EXTERNAL_NET any
var HTTP_SERVERS $HOME_NET
var SMTP $HOME_NET
var DNS_SERVERS [<RoadRunners DNS servers>]
var SQL_SERVERS $HOME_NET
var RULE_PATH /etc/snort
var HTTP_PORTS 8080

#
###################################################
# Setup preprocessors

preprocessor portscan-ignorehosts: $DNS_SERVERS
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 8080 -unicode -cginull
preprocessor unidecode: 8080 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor portscan: $HOME_NET 4 3 /var/log/snort/port-scan.log

#
####################################################################
# Setup output plugins
#

#output alert_syslog: LOG_AUTH LOG_ALERT
output alert_fast:/var/log/snort/snort-alerts.log
output database: log, mysql, user=root password=test dbname=Snort
host=localhost
output database: alert, mysql, user=root password=test dbname=Snort
host=localhost


#
# Include classification & priority settings
#

include classification.config


#
####################################################################
# Setup rule set
#
# Up to date snort rules are available at http://www.snort.org
#

#include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/info.rules
include $RULE_PATH/virus.rules





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: