Hi
It looks like a huge Bug that causes Anti-Portcan problem.
As long as Anti-Portcan activates, it generate thousands of events from all of my net, which make it very slow.
Example of the Anti-Portcan Reports:
2008:04:17-16:42:17 (none) ulogd[2992]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth0" outitf="eth0" dstmac="00:18:8b:48:8c:1e" srcmac="00:18:71:36:13:c1" srcip="1.2.0.11" dstip="1.1.0.70" proto="17" length="75" tos="0x00" prec="0x00" ttl="63" srcport="161" dstport="3562"
Srcip="1.2.0.11 is an HP switch!!!
And id="2102" ' according to SNORT suppose to be canceled
From SNORT:
EN:SID 1:2102 Message DELETED NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt Summary A buffer overflow exists in the SMB (Server Message Block) Protocol
implementation in Microsfot Windows NT, Windows 2000, and Windows XP
that allows attackers to cause a denial of service via a NetShareEnum
request.
This rule has been deprecated due to an inordinately large number of
false positives. Rule 2101 has been modified to take this into account.
Impact An attacker can cause the target system to lock up and require manual
reboot. With more research, an attacker may be able to exploit this
buffer overflow and execute arbitrary code, but this research has not
been made public at this time....
Am i right about it?
This thread was automatically locked due to age.