LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-11-2003, 08:25 PM   #1
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Snort Picking Up M$ Vulnerablity


Hey all. I just installed snort/acid/mysql and its pretty cool. I keep getting a ridiculous amounts of reports about these UDP packets.
The summary in ACID says:

"MISC UPNP malformed advertisement".

Universal Plug and Play (UPnP) on Windows 98, 98E, ME, and XP allows remote attackers to cause a denial of service via (1) a spoofed SSDP advertisement that causes the client to connect to a service on another machine that generates a large amount of traffic (e.g., chargen), or (2) via a spoofed SSDP announcement to broadcast or multicast addresses, which could cause all UPnP clients to send traffic to a single target system.

Ummm...why would I have that? Here is a link for a full explanation of the exploit. What could be causing this?

Last edited by Crashed_Again; 05-11-2003 at 08:27 PM.
 
Old 05-12-2003, 10:34 PM   #2
speedracer05
Member
 
Registered: Jul 2002
Location: San Diego
Distribution: RH 8
Posts: 33

Rep: Reputation: 15
Crashed_Again,

Windows XP is shipped with UPNP installed and running by default. You will notice, if you have an XP box on your network, that you receive the "SCAN UPNP service discover attempt" message frequently.

You can disable UPNP with this program:

http://grc.com/unpnp/unpnp.htm

I hope this helps.
 
Old 05-12-2003, 11:04 PM   #3
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Original Poster
Rep: Reputation: 57
hmmmm...I don't have a Windows XP box on my network. Its possible that I set up the snort.conf file wrong.
 
Old 05-12-2003, 11:47 PM   #4
speedracer05
Member
 
Registered: Jul 2002
Location: San Diego
Distribution: RH 8
Posts: 33

Rep: Reputation: 15
No Windows machines at all? If not, do you have a honeypot setup that emulates UPnP?

If you do not have any issues with UPnP, you could always comment any occurences of the UPnP alert in the snort rules directory.
 
Old 05-13-2003, 12:19 AM   #5
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Original Poster
Rep: Reputation: 57
I think the problem was in my snort.conf. I changed the variable:

var HOME_NET any

and replaced any with my ipaddress. It seams to be working because I am picking up all the Code Red and Nimda attempts to get into an IIS server but the Plug and Play Vulnerability does not show anymore.

Is it possible that because I had 'any' before it was picking up other people's machines on my ISP?

hmmm...
 
Old 05-14-2003, 06:17 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,335
Blog Entries: 55

Rep: Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535
Is it possible that because I had 'any' before it was picking up other people's machines on my ISP?
In short, yes.

With a Snort sensor in promiscuous mode, and $HOME_NET set to "any", a rule then won't be parsed with $HOME_NET having any specific meaning to the filters. This should not affect rules that use snort.conf's vars like $HTTP_SERVERS etc etc unless they're set to "any" as well.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Error when starting up snort: bash:!/bin/sh/usr/local/bin/snort :Eent not found cynthia_thomas Linux - Software 1 11-11-2005 02:59 PM
Picking a new distro SolidSnakeX28 Linux - General 13 09-08-2005 08:23 PM
snort failed: snort: symbol lookup error: undefined symbol: usmAES192PrivProtocol Emmanuel_uk Linux - Security 1 07-10-2005 10:29 AM
check vulnerablity for all service in Linux yuva_mca Linux - Security 1 04-25-2004 04:10 AM
snort snort.conf help crealkiller175 Linux - Software 1 03-08-2003 05:58 PM


All times are GMT -5. The time now is 11:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration