[Snort-devel] Snort 2.0.6 fires alerts irrespective of protocol speciifer

From: Bill McCarty <bmccarty(at)pt-net.net>
Date: Mon Mar 15 2004 - 13:56:19 EST

Hi all,

Using Snort 2.0.6, I see alerts for SID 2003, "MS-SQL Worm propagation attempt," triggered by ICMP traffic. However, the rule should fire only for UDP traffic. Snort seems to be peering into the payload of ICMP Unreachable datagrams related to the MS-SQL worm traffic, finding the original UDP datagram, and firing an alert.

Applicable rule:

sql.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

Sample alert:

[**] [1:2003:2] MS-SQL Worm propagation attempt [**] [Classification: Misc Attack] [Priority: 2] 03/14-02:44:51.607509 XXX.XXX.XXX.130 -> 69.22.64.202 ICMP TTL:64 TOS:0xC0 ID:14121 IpLen:20 DgmLen:432 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:

69.22.64.202:1240 -> XXX.XXX.XXX.130:1434 UDP TTL:108 TOS:0x0 ID:61798 IpLen:20 DgmLen:404 Len: 376
** END OF DUMP
Am I missing something here? Otherwise, I presume that this is a problem with Snort 2.0.6 and has been fixed in newer releases. Can anyone confirm this?

Thanks,

---

Bill McCarty

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Mon Mar 15 14:47:58 2004