Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: DOS and gnutella

From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Thu, 8 Aug 2002 07:15:42 +0200
Hi


Hello all, 

I have been using IPTABLES and Snort as a personal firewall and IDS on
my server/workstation at home.  I am on RoadRunner, and I 
host some web
pages, so that I can easily get to some files and stuff from 
work.  The
only ports I have enable through IPTABLES is 8080 (Web) and 22 (SSH).

Recently, I decided to install gtk-gnutella, and thought I 
would have to
open port 6346 to allow this traffic.  I've done this, and 
everything is
working fine.  I am able to download files, and I see others uploading
stuff.  However, today I recieved this:

08/07-14:26:48.992626  [**] [1:1408:5] DOS MSDTC attempt [**]
[Classification: Attempted Denial of Service] [Priority: 2] {TCP}
<sourceIPhere>:6347 -> <myIPhere>:3372

This "attempt" occurred about 6000 times, and stopped when I shut off
gnutella.  I'm thinking this is a false positive, becuase of the newly
added gnutella client.  I've never had any kind of message like this
before gnutella, and I've had this box up for months now.  The source
port is a gnutella port, weird how the destination is a 
Micro$not MSDTC
service.  I'm sure I have to tweak up my iptable script, and 
snort.conf,
I'm just not exactly sure how.  What should I change/add/remove?


Take a look on the signature:

alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt";
flags:A+; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos;
sid:1408; rev:4;)

This tells you that the rule is triggered for an established session to one
of you hosts on port 3372 where the packet size is greater than 1023 bytes.
I would say you had a gnutella download and your ip stack chose to use port
3372 for that connection. This will happen now and then. For me this is a
false positive (which I also receive for various other services because that
rule is really general).

So no change on your iptables would be necessary. Also if you don't have any
windows host running, disabling that rule would do the trick anyway ;)

To verify what I said do a tcpdump of a new gnutella session and you'll see.

So long,
Sandro


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: