Hi Nelson, We had this discussion in october last year. This is the snort IDS rule that causes the problem: alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:arachnids,492; reference:cve,2001-0414; classtype:attempted-admin; sid:312; rev:6; fwsam: src, 1 day;)
As you can see just a size >128 triggers the rule and in my case the IP gets blocked by fwsam for 1 day. I can disable the rule, but the problem is that the rule sets are updated automatically. You are right that it is kind of stupid and the rule should be left out in the future. My English and knowledge of ntp is not good enough but maybe someone can make a false positive report at: http://www.snort.org/pub-bin/sigs.cgi?sid=312 Jos van de Ven > -----Oorspronkelijk bericht----- > Van: [EMAIL PROTECTED] [mailto:timekeepers- > [EMAIL PROTECTED] Namens Nelson Minar > Verzonden: vrijdag 4 januari 2008 21:45 > Aan: Tim Shoppa > CC: [email protected] > Onderwerp: Re: [time] NTP replies accused of being abusive > > I had this problem with my Colo recently, although in my case the > abuse report was in response to sysind requests I was sending out on > my own initiative. My response was to stop doing my survey. Haven't > gotten a report for just serving time yet. That sucks; a busy ISP is > likely to just assume the worst. > > I got a copy of the intrusion report btw, it seemed to be treating any > unexpected sysinfo request as an exploit. Kind of stupid. We could try > to notify the security vendor of the false positive problem but I'm > not optimistic. > _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
