Snort mailing list archives

Previous By Date Next
Previous By Thread Next

change to sid 2189 (PIM) to account for MCAST-NET

From: Jon Hart <warchild () spoofed org>
Date: Sat, 23 Aug 2003 21:48:44 -0400
Greetings,

After some new networking gear was brought online, rule sid 2189 went
bezerk and alerted quite often.  IIRC, it wasn't from the new gear
itself, but rather the result of new acls that now allowed multicast
traffic to flow a bit more freely on the network(s) in question.  They
were all going to addresses in the 224.0.0.0/4 network, which is set
aside for multicast traffic.

Because the exploit requires that the malicious traffic is targeted at a
specific device and must "land" there, 'any' as a destination address in
sid 2189 was initially sufficient.  I've now changed my local rule to
not alert on PIM traffic going to the multicast network.

There may be a legitimate reason to alert on PIM traffic going to the
multicast address, but I certainly can't think of one right now.

In snort.conf, I defined a new variable for this network:

var MULTICAST_NET 224.0.0.0/4

And tweaked sid 2189 as follows:

alert ip any any -> !MULTICAST_NET any (msg:"BAD-TRAFFIC IP Proto 103 (PIM)";
ip_proto:103; reference:bugtraq,8211; reference:cve,CAN-2003-0567;
classtype:non-standard-protocol; sid:2189; rev:2;)

I'd like to hear people's thoughts on this change, if any.  If it can't
be changed, I think the documentation for this rule should be changed to
note the possibility of high false positives:

"Possible.  If traffic is destined for 224.0.0.0/4, this is usually
indicative of multicast traffic and can be safely ignored provided
multicast traffic is common or allowed on your networks."

-jon


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: