Snort mailing list archives
AW: DOS and gnutella
From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Thu, 8 Aug 2002 07:15:42 +0200
Hi
Hello all, I have been using IPTABLES and Snort as a personal firewall and IDS on my server/workstation at home. I am on RoadRunner, and I host some web pages, so that I can easily get to some files and stuff from work. The only ports I have enable through IPTABLES is 8080 (Web) and 22 (SSH). Recently, I decided to install gtk-gnutella, and thought I would have to open port 6346 to allow this traffic. I've done this, and everything is working fine. I am able to download files, and I see others uploading stuff. However, today I recieved this: 08/07-14:26:48.992626 [**] [1:1408:5] DOS MSDTC attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} <sourceIPhere>:6347 -> <myIPhere>:3372 This "attempt" occurred about 6000 times, and stopped when I shut off gnutella. I'm thinking this is a false positive, becuase of the newly added gnutella client. I've never had any kind of message like this before gnutella, and I've had this box up for months now. The source port is a gnutella port, weird how the destination is a Micro$not MSDTC service. I'm sure I have to tweak up my iptable script, and snort.conf, I'm just not exactly sure how. What should I change/add/remove?
Take a look on the signature: alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos; sid:1408; rev:4;) This tells you that the rule is triggered for an established session to one of you hosts on port 3372 where the packet size is greater than 1023 bytes. I would say you had a gnutella download and your ip stack chose to use port 3372 for that connection. This will happen now and then. For me this is a false positive (which I also receive for various other services because that rule is really general). So no change on your iptables would be necessary. Also if you don't have any windows host running, disabling that rule would do the trick anyway ;) To verify what I said do a tcpdump of a new gnutella session and you'll see. So long, Sandro ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: DOS and gnutella Poppi, Sandro (Aug 07)