Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Yahoo Game play alarm on BO2k Stealth

WHat is the nature (what is it alarming on) of sig 3992 - sub sig 4 ? the IDS generated the following alerts:

1. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.102.177 4861 2001-06-10 12:54:20

2. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.226 2110 2001-06-11 08:56:25

3. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 1476 2001-06-11 10:47:23

4. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 2076 2001-06-11 13:15:22

5. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 2076 2001-06-11 13:17:22

6. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 2111 2001-06-11 13:34:24

7. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.224 1214 2001-06-11 14:27:20

8. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.224 1226 2001-06-11 14:40:22

9. #-BackOrifice BO2K TCP Stealth 2 216.115.108.221 11999 > aaa.bbb.76.189 1079 2001-06-11 14:42:25

Contacting Yahoo (the source in this capture) they informed me that 11999 is "perfectly normal

from the Y!Games servers, which use port 11999 on our end."

Being the untrusting type I played a game of battleship on the yahoo site =), while niffing the traffic" and it indeed used port 11999. What is setting the IDS off.

Any Ideas?

2 REPLIES
New Member

Re: Yahoo Game play alarm on BO2k Stealth

Phinb,

I've seen that same signature triggered a lot by traffic from our Domino server, so I suppose the sig is a bit too generic and fires unnecessarily.

Ciao,

Giovanni

Cisco Employee

Re: Yahoo Game play alarm on BO2k Stealth

We have experienced problems with some different game servers as well as Napster traffic causing the BO2K stealth signatures to fire. These signatures are tuned to look for weaknesses in the encryption technology used in the tool. Unfortunately although the signature reliably will detect the presence of the BO2K tool being used, certain other network traffic mimics the traffic patterns.

We are constantly including new decision points in the signature to exclude known good traffic patterns from consideration. If you can provide a tcpdump trace of the benign traffic that is firing the alarm we will add this traffic type to our filter in a future release.

You can send the dump file to kasper@cisco.com.

Thank you for your assitance.

KLW

143
Views
0
Helpful
2
Replies