Re: spp_portscan warning on snort

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 06/29/02 

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Sat, 29 Jun 2002 09:21:30 +0000 (UTC)

< ras2

>I get these every time I apt-get something from a Debian mirror
>(and sometimes when I download things from other FTP servers),
>so I assume it's a false positive. I've only recently started
>using snort, but I got the alerts with the ruleset included
>in the 1.8.6 distribution and now with the most recent ruleset
>from snort.org too.

Snort 1.8.6 (official release version) don't support `fragroute` type
packets completely.

Subject Re: Snort exploits
>From Chris Green <cmg@sourcefire.com>
Message-ID <m2adrskhpm.fsf@mail.sourcefire.com>
Date Wed, 24 Apr 2002 15:41:09 -0400
To 0xcafebabe@hushmail.com
Cc bugtraq@securityfocus.com, pen-test@securityfocus.com,
           snort-users@lists.sourceforge.net
| I've just made Snort 1.8.7beta1 available at:
| http://www.snort.org/dl/beta/snort-1.8.7beta1.tar.gz.
| This should correct the issues that fragroute induces.

>[**] [1:499:1] MISC Large ICMP Packet [**]
>[Classification: Potentially Bad Traffic] [Priority: 2]
>06/22-19:00:04.810281 130.239.18.137 -> 195.82.196.162
>ICMP TTL:236 TOS:0x0 ID:60969 IpLen:20 DgmLen:1500 DF
>Type:8 Code:0 ID:0 Seq:0 ECHO
>[Xref => http://www.whitehats.com/info/IDS246]

"ID:0 Seq:0", "DgmLen:1500", "IpLen:20", "TOS:0x0" are common as OP.
In this case, DF flag was set and ECHO request. SRC and DST looks
correct. Both case, "ID:0 Seq:0" looks to me like little bit strange.

>I also get these all the time:
>[**] [1:1792:3] NNTP return code buffer overflow attempt [**]
>[Classification: Generic Protocol Command Decode] [Priority: 3]
>06/28-14:09:47.685318 130.227.3.84:119 -> 195.82.196.69:1024
>TCP TTL:251 TOS:0x0 ID:14116 IpLen:20 DgmLen:1336 DF
>***AP*** Seq: 0xCBF89E99 Ack: 0x1F582ACA Win: 0x2798 TcpLen: 32
>TCP Options (3) => NOP NOP TS: 182604152 61206
>[Xref => http://www.securityfocus.com/bid/4900]q
>
>It seems to happen every time I download news with slrnpull from my
>ISP's news server. It's explained as a buffer overflow attempt on an
>MNews server (which I'm not running and my ISP is running Typhoon 1.2.2).
>The captures resulting from this kind of alert just contain bits and
>pieces of news articles and server overviews.

+---[ misc.rules ]---
|# alert tcp $EXTERNAL_NET 119 -> $HOME_NET any
|(msg:"NNTP return code buffer overflow attempt"; content:"200 ";
|offset:0; dsize:>100; reference:bugtraq,4900;
|classtype:protocol-command-decode; sid:1792; rev:3;)
+---

It seems like contents included "200 " and data size grater than 100.
According to Securityfocus, It only affect FreeBSD and using MNews.
You can comment out the rules using '#' if the rule is not related your
system like "MNews server" (FreeBSD). For example, if you are not using
Windoze, you can comment out the rules that's only related Windoze.

>How reliable is snort in general? I'm so far fairly impressed (and
>at times surprised; the alert log went nuts when I checked some spam
>stats on newsadmin.com. Porn spam...), but there are a few things that
>it seems to ignore. I may just not know enough about it, though.

It depend on what the purpose is your NIDS. You can customize your rule
sets for your specialized purpose. I think false positives is better
than correct negatives for security purpose. Snort system is made from
snort binary (source code), snort rule sets and _maintainer_. This is
the weak point of pattern oriented IDS. Perhaps artificial intelligence
or neural network IDS will need less maintenance. 

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

Relevant Pages

  • Re: Please Help - Strange problem with my servers - Locked out
    ... > The other server is directly connected to the Internet ... > I have a workstation on the WORK network. ... > The WORK network can talk to both HOME and COLO ... > Does snort drop packets? ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Please Help - Strange problem with my servers - Locked out
    ... > The other server is directly connected to the Internet ... > I have a workstation on the WORK network. ... > The WORK network can talk to both HOME and COLO ... > Does snort drop packets? ...
    (comp.security.firewalls)
  • RE: Any ideas?
    ... this time the first two Packets from Snort show the third part of the TCP ... because the attacker allready knows your server ... These are entries from my Snort IDS logs and my firewall logs for the IP ...
    (Security-Basics)
  • RE: Any ideas?
    ... this time the first two Packets from Snort show the third part of the TCP ... because the attacker allready knows your server ... These are entries from my Snort IDS logs and my firewall logs for the IP ...
    (Security-Basics)
  • Re: spp_portscan warning on snort
    ... Subject Re: Snort exploits ... >It seems to happen every time I download news with slrnpull from my ... >MNews server. ... I think false positives is better ...
    (comp.os.linux.security)