[SOLVED] Denial of Service Vulnerability Alert from Snort

OtagoHarbour · 09-29-2013, 10:11 PM

I am using Linux 3.2.0-4-amd64 on Debian 7.0. Snort 2.9.2.2 keeps giving me this alert repeatedly.

Code:

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
09/29-07:35:35.694567 2001:0:4137:9e76:30ab:b13:b7ba:7bc6 -> ff02::1
IPV6-NONXT TTL:21 TOS:0x0 ID:0 IpLen:40 DgmLen:40
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

and sometimes gives me

Code:

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
09/29-08:06:03.897329 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:255 TOS:0x0 ID:12645 IpLen:20 DgmLen:328
Len: 300
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

I went to the links specified in the alaerts and they appear to be referring to Teardrops and Land DOS. Howewver one of the links says that the teardrop applies to an earlier version of Linux (Linux 2.0.x kernels prior to 2.0.32). It also says "Topic 2 - Land - There are no known reports of any version of the Linux kernel, including those shipping with Caldera OpenLinux, being vulnerable to this exploit. " The link is also dated 1998.

Yet one of the other links has the heading "Land IP denial of service".

I installed the latest version of Snort earlier this year. I was wondering why it was giving me old links but, more importantly, how should I deal with this alert?

unSpawn · 09-30-2013, 01:42 AM

Quote:

Originally Posted by OtagoHarbour

I was wondering why it was giving me old links but,

Some attacks have simply been recorded ages ago and therefore the references will be old too.

Quote:

Originally Posted by OtagoHarbour

more importantly, how should I deal with this alert?

Analyse. Check the characteristics of the attack to see if it is plausible or noise. (In your case start with resolving the IPv4 addresses involved and the services on these two ports.) The hardest part of running Snort is rule management. Best start with checking what services you provide and disable other rule sets. How you do that (manually, using Oinkmaster or equivalent) is up to you. Regularly review new rules and the effectivity of old rules.

OtagoHarbour · 09-30-2013, 09:49 PM

Quote:

Originally Posted by unSpawn

Analyse. Check the characteristics of the attack to see if it is plausible or noise. (In your case start with resolving the IPv4 addresses involved

I get ff02::1 as the destination in a lot of alerts. I looked it up and it seems to be ipv6 lingo for all nodes on the local network segment. 2001:0:4137:9e76:30ab:b13:b7ba:7bc6 is the source on most of the alerts but I could not find any info. about it.

Quote:

The hardest part of running Snort is rule management. Best start with checking what services you provide and disable other rule sets. How you do that (manually, using Oinkmaster or equivalent) is up to you. Regularly review new rules and the effectivity of old rules.

I'm thinking of closing the ports that I don't need that I have open according to nmap (like telnet). I am then thinking of editing snort.conf and disabling rules related to ports that are not shown as open by nmap. Does that seem like the right approach?

Thanks,
OH.

unSpawn · 10-01-2013, 03:57 PM

Quote:

Originally Posted by OtagoHarbour

I get ff02::1 as the destination in a lot of alerts. I looked it up and it seems to be ipv6 lingo for all nodes on the local network segment. 2001:0:4137:9e76:30ab:b13:b7ba:7bc6 is the source on most of the alerts but I could not find any info. about it.

Looking around abit it seems this SID catches a lot of traffic that's proprietary protocols, voice communications, networked printers and as the second of your example DHCP.
I'd disable the SID or at least put a threshold on it.

Quote:

Originally Posted by OtagoHarbour

I'm thinking of closing the ports that I don't need that I have open according to nmap (like telnet).

Compare nmap output with what 'netstat -ntulpe' returns wrt services you provide. Then check which ones are (or should be) blocked or restricted using the routers firewall (if any), the hosts firewall and other means like hosts allow (that's and, not or).

Quote:

Originally Posted by OtagoHarbour

I am then thinking of editing snort.conf and disabling rules related to ports that are not shown as open by nmap. Does that seem like the right approach?

Comment rule sets out first for services you don't run.

OtagoHarbour · 10-05-2013, 07:59 AM

Quote:

Originally Posted by unSpawn

Looking around abit it seems this SID catches a lot of traffic that's proprietary protocols, voice communications, networked printers and as the second of your example DHCP.
I'd disable the SID or at least put a threshold on it.

Sorry about the slow reply. I looked at the snort manual here and it appears that threshold is deprecated and that they recommend using the detection filter here which doesn't make much sense to me since it filters based on time rather than on severity. I tried modifying the rule thus

Code:

alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; \
        detection_filter:track by_src, count 1, seconds 3600; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)

I made this change 3 days ago but I still get the alert every 6 minutes. Here are the last few entries of /var/log/snort

Code:

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
10/04-22:52:37.846932 2001:0:9d38:90d7:85:2232:b7ae:7ca6 -> ff02::1
IPV6-NONXT TTL:21 TOS:0x0 ID:0 IpLen:40 DgmLen:40
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
10/04-22:59:07.043510 2001:0:9d38:90d7:85:2232:b7ae:7ca6 -> ff02::1
IPV6-NONXT TTL:21 TOS:0x0 ID:0 IpLen:40 DgmLen:40
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
10/04-23:05:13.828471 2001:0:9d38:90d7:85:2232:b7ae:7ca6 -> ff02::1
IPV6-NONXT TTL:21 TOS:0x0 ID:0 IpLen:40 DgmLen:40
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

Snort is being run as a daemon based on my having set it up to run once a day. Here is my "ps -aux" output.

Code:

OtagoHarbour@app-server:~/Downloads/base-1.4.5$ ps aux | grep snort
snort    10824  0.0  2.9 478604 112624 ?       Ssl  07:35   0:00 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0
OtagoHarbour    11198  0.0  0.0   7832   844 pts/0    S+   08:06   0:00 grep snort

So it seems like it starts at 07:35 local time every day.

I tried running

Code:

sudo /usr/sbin/snort -m 027 -d -l ./snortLog -u OtagoHarbour -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0

and get the message even more frequently. I got this after 10 minutes.

Code:

OtagoHarbour@app-server:~$ cat snortLog/alert
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
10/05-08:30:56.988252 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:128 TOS:0x0 ID:20542 IpLen:20 DgmLen:346
Len: 318
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
10/05-08:36:53.403094 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:255 TOS:0x0 ID:30076 IpLen:20 DgmLen:328
Len: 300
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
10/05-08:36:53.992467 :: -> ff02::1:ff81:3dfc
IPV6-ICMP TTL:255 TOS:0x0 ID:0 IpLen:40 DgmLen:64
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
10/05-08:36:54.732172 :: -> ff02::16
IPV6-ICMP TTL:1 TOS:0x0 ID:84017152 IpLen:40 DgmLen:96
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
10/05-08:37:22.406848 2001:0:9d38:6abd:20a1:de5:b7ae:7ca6 -> ff02::1
IPV6-NONXT TTL:21 TOS:0x0 ID:0 IpLen:40 DgmLen:40
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
10/05-08:39:05.924745 :: -> ff02::1:ff21:5682
IPV6-ICMP TTL:255 TOS:0x0 ID:0 IpLen:40 DgmLen:64
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
10/05-08:39:06.500885 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:255 TOS:0x0 ID:4008 IpLen:20 DgmLen:328
Len: 300
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
10/05-08:39:08.555708 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:255 TOS:0x0 ID:4009 IpLen:20 DgmLen:328
Len: 300
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
10/05-08:41:20.808263 2001:0:9d38:6ab8:1c2c:2af8:b7ae:7ca6 -> ff02::1
IPV6-NONXT TTL:21 TOS:0x0 ID:0 IpLen:40 DgmLen:40
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]

Quote:

Compare nmap output with what 'netstat -ntulpe' returns wrt services you provide. Then check which ones are (or should be) blocked or restricted using the routers firewall (if any), the hosts firewall and other means like hosts allow (that's and, not or).

I tried

Code:

sudo netstat -ntulp

since I wasn't sure if I should post my inodes. I got

Code:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3364/sshd       
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      3120/cupsd      
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      30770/master    
tcp        0      0 0.0.0.0:37604           0.0.0.0:*               LISTEN      1887/rpc.statd  
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      12379/mysqld    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1856/rpcbind    
tcp6       0      0 :::22                   :::*                    LISTEN      3364/sshd       
tcp6       0      0 ::1:631                 :::*                    LISTEN      3120/cupsd      
tcp6       0      0 :::25                   :::*                    LISTEN      30770/master    
tcp6       0      0 :::48516                :::*                    LISTEN      1887/rpc.statd  
tcp6       0      0 :::111                  :::*                    LISTEN      1856/rpcbind    
tcp6       0      0 :::80                   :::*                    LISTEN      9474/apache2    
udp        0      0 0.0.0.0:47585           0.0.0.0:*                           2725/avahi-daemon: 
udp        0      0 0.0.0.0:631             0.0.0.0:*                           3120/cupsd      
udp        0      0 0.0.0.0:759             0.0.0.0:*                           1856/rpcbind    
udp        0      0 127.0.0.1:791           0.0.0.0:*                           1887/rpc.statd  
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           2725/avahi-daemon: 
udp        0      0 0.0.0.0:7502            0.0.0.0:*                           2918/dhclient   
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           3347/minissdpd  
udp        0      0 0.0.0.0:68              0.0.0.0:*                           2918/dhclient   
udp        0      0 0.0.0.0:111             0.0.0.0:*                           1856/rpcbind    
udp        0      0 0.0.0.0:57638           0.0.0.0:*                           1887/rpc.statd  
udp6       0      0 :::759                  :::*                                1856/rpcbind    
udp6       0      0 :::5353                 :::*                                2725/avahi-daemon: 
udp6       0      0 :::34827                :::*                                2725/avahi-daemon: 
udp6       0      0 :::111                  :::*                                1856/rpcbind    
udp6       0      0 :::53405                :::*                                1887/rpc.statd  
udp6       0      0 :::47525                :::*                                2918/dhclient

Code:

nmap [myIPv4]

gave me

Code:

Not shown: 993 closed ports
PORT     STATE    SERVICE
23/tcp   open     telnet
80/tcp   open     http
443/tcp  filtered https
992/tcp  open     telnets
4567/tcp open     tram
8080/tcp open     http-proxy
8443/tcp open     https-alt

I'm confused about telnet since I have several servers on a router. If someone could telnet, what server would they be telneting to?

Also, when I tried

Code:

telnet [myIPv4]

I got

Code:

Trying [myIPv4]...
Connected to [myIPv4].
Escape character is '^]'.
Connection closed by foreign host.

Thanks,
OH.

unSpawn · 10-06-2013, 05:17 AM

Quote:

Originally Posted by OtagoHarbour

I made this change 3 days ago but I still get the alert every 6 minutes. (..) Snort is being run as a daemon based on my having set it up to run once a day. (..) I tried running (..) and get the message even more frequently. I got this after 10 minutes.

First, when you use unified logging (which you should for reasons of performance) you don't need to restart Snort every day. Second I'd ditch the rule as the only thing its tripping on is same source and destination (apparently the rule was in deleted.rules last year so I don't know how current your rule set is?) half of which seems DHCP traffic.

Quote:

Originally Posted by OtagoHarbour

Code:

telnet [myIPv4]

Without knowing if you've done nmap / telnet from a remote host, what your ISP filters, what your router accepts for itself, what your router passes through or whatever else on your LAN would advertise telnet this could well be your router itself blocking access to its management interface? Confirm by perusing its config / management options.

OtagoHarbour · 10-13-2013, 09:08 AM

Quote:

Originally Posted by unSpawn

First, when you use unified logging (which you should for reasons of performance) you don't need to restart Snort every day. Second I'd ditch the rule as the only thing its tripping on is same source and destination (apparently the rule was in deleted.rules last year so I don't know how current your rule set is?) half of which seems DHCP traffic.

Without knowing if you've done nmap / telnet from a remote host, what your ISP filters, what your router accepts for itself, what your router passes through or whatever else on your LAN would advertise telnet this could well be your router itself blocking access to its management interface? Confirm by perusing its config / management options.

Sorry about the slow reply. I checked my snort rules files and they were out of date. I had thought that I would get the most up to date rules when I installed snort but that was not the case. The rules files were years old although I only installed snort a month or two ago.

Thanks,
OH

unSpawn · 10-13-2013, 09:26 AM

I already hinted at that?:

Quote:

Originally Posted by unSpawn

(apparently the rule was in deleted.rules last year so I don't know how current your rule set is?)