06-12-2001 03:56 PM - edited 03-08-2019 08:22 PM
WHat is the nature (what is it alarming on) of sig 3992 - sub sig 4 ? the IDS generated the following alerts:
1. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.102.177 4861 2001-06-10 12:54:20
2. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.226 2110 2001-06-11 08:56:25
3. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 1476 2001-06-11 10:47:23
4. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 2076 2001-06-11 13:15:22
5. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 2076 2001-06-11 13:17:22
6. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 2111 2001-06-11 13:34:24
7. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.224 1214 2001-06-11 14:27:20
8. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.224 1226 2001-06-11 14:40:22
9. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 1079 2001-06-11 14:42:25
Contacting Yahoo (the source in this capture) they informed me that 11999 is "perfectly normal
from the Y!Games servers, which use port 11999 on our end."
Being the untrusting type I played a game of battleship on the yahoo site =), while niffing the traffic" and it indeed used port 11999. What is setting the IDS off.
Any Ideas?
06-13-2001 12:36 AM
Phinb,
I've seen that same signature triggered a lot by traffic from our Domino server, so I suppose the sig is a bit too generic and fires unnecessarily.
Ciao,
Giovanni
06-13-2001 10:43 AM
We have experienced problems with some different game servers as well as Napster traffic causing the BO2K stealth signatures to fire. These signatures are tuned to look for weaknesses in the encryption technology used in the tool. Unfortunately although the signature reliably will detect the presence of the BO2K tool being used, certain other network traffic mimics the traffic patterns.
We are constantly including new decision points in the signature to exclude known good traffic patterns from consideration. If you can provide a tcpdump trace of the benign traffic that is firing the alarm we will add this traffic type to our filter in a future release.
You can send the dump file to kasper@cisco.com.
Thank you for your assitance.
KLW
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide