Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
0
Helpful
2
Replies

Yahoo Game play alarm on BO2k Stealth

phinb
Level 1
Level 1

‎06-12-2001 03:56 PM - edited ‎03-08-2019 08:22 PM

WHat is the nature (what is it alarming on) of sig 3992 - sub sig 4 ? the IDS generated the following alerts:

1. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.102.177 4861 2001-06-10 12:54:20

2. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.226 2110 2001-06-11 08:56:25

3. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 1476 2001-06-11 10:47:23

4. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 2076 2001-06-11 13:15:22

5. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 2076 2001-06-11 13:17:22

6. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 2111 2001-06-11 13:34:24

7. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.224 1214 2001-06-11 14:27:20

8. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.224 1226 2001-06-11 14:40:22

9. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 1079 2001-06-11 14:42:25

Contacting Yahoo (the source in this capture) they informed me that 11999 is "perfectly normal

from the Y!Games servers, which use port 11999 on our end."

Being the untrusting type I played a game of battleship on the yahoo site =), while niffing the traffic" and it indeed used port 11999. What is setting the IDS off.

Any Ideas?

Labels:
0 Helpful
2 Replies 2

giovanni
Level 1
Level 1

‎06-13-2001 12:36 AM

Phinb,

I've seen that same signature triggered a lot by traffic from our Domino server, so I suppose the sig is a bit too generic and fires unnecessarily.

Ciao,

Giovanni

0 Helpful

klwiley
Cisco Employee
Cisco Employee

‎06-13-2001 10:43 AM

We have experienced problems with some different game servers as well as Napster traffic causing the BO2K stealth signatures to fire. These signatures are tuned to look for weaknesses in the encryption technology used in the tool. Unfortunately although the signature reliably will detect the presence of the BO2K tool being used, certain other network traffic mimics the traffic patterns.

We are constantly including new decision points in the signature to exclude known good traffic patterns from consideration. If you can provide a tcpdump trace of the benign traffic that is firing the alarm we will add this traffic type to our filter in a future release.

You can send the dump file to kasper@cisco.com.

Thank you for your assitance.

KLW

0 Helpful
Customers Also Viewed These Support Documents