OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sean Waddell (swaddellespgroup.net)
Date: Mon Apr 16 2001 - 10:54:28 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    majordomoiss.net Contact issforum-owneriss.net for help with any problems!
    ----------------------------------------------------------------------------

    I am running several servers with only SSL and I get a lot of
    "napster_command_long" events. It would be nice to get some real
    feedback on when this will be fixed.

    Tim_Walravenamsinc.com wrote:
    >
    > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    > majordomoiss.net Contact issforum-owneriss.net for help with any problems!
    > ----------------------------------------------------------------------------
    >
    > I may be way off base on this, but Jeroen's statement about 443 (SSL) and our
    > experience with 1352 (Notes) leads me to believe that encrypted traffic may be
    > one of the reasons we saw so manyfalse positives. It seems that only our Notes
    > servers trigger this event and all of our Notes servers encrypt. Can anyone
    > else draw a similar correlation? I'll leave it to the folks at ISS to figure
    > this one out......
    >
    > Tim Walraven
    > American Management Systems, Inc.
    > ICT Information Security Office
    > Office (703) 267-8056
    > Fax (703) 267-8244
    > Tim_Walravenamsinc.com
    >
    > |--------+----------------------->
    > | | Jeroen Veeren|
    > | | <j.veerenpoi|
    > | | ntnet.nl> |
    > | | |
    > | | 04/10/2001 |
    > | | 11:25 AM |
    > | | |
    > |--------+----------------------->
    > >---------------------------------------------------------------------------|
    > | |
    > | To: issforumiss.net |
    > | cc: (bcc: Tim Walraven/AMS/AMSINC) |
    > | Subject: RE: false positives for napster_command_long with sql |
    > | servers |
    > >---------------------------------------------------------------------------|
    >
    > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    > majordomoiss.net Contact issforum-owneriss.net for help with any problems!
    > ----------------------------------------------------------------------------
    >
    > I wonder why this issue is not answered.
    > I have the exact same false positives all the time, on two different sites.
    > They all look like this. I suspect it is triggered by the socks port.
    >
    > Napster command long source anyip 443, 80,(ssl,http) dest anyip 1080
    > (socks)
    >
    > I have also the following generated on a sensor before the firewall.
    >
    > streamdos source <webserver> 443, dest anyip anyport
    >
    > The websegment has a load balancer which might be the cause to trigger the
    > stream-dos.
    >
    > bye,
    >
    > Jeroen
    >
    > -----Oorspronkelijk bericht-----
    > Van: Athanasiou, Ken (Wingspan) [mailto:KenAthanasiouFirstUSA.com]
    > Verzonden: vrijdag 6 april 2001 14:17
    > Aan: 'ritter dan'; issforumiss.net
    > Onderwerp: RE: false positives for napster_command_long with sql servers
    >
    > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    > majordomoiss.net Contact issforum-owneriss.net for help with any
    > problems!
    > ----------------------------------------------------------------------------
    >
    > I was getting nailed with the napster_command_long alerts... coming from one
    > of my boxes that I'm 100% absotively certain isn't trying to "pass a very
    > long command to a napster client".
    >
    > "No false positives are known for this signature."
    >
    > Might want to look a little harder... :-)
    >
    > Ken
    >
    > -----Original Message-----
    > From: ritter dan [mailto:pentesteryahoo.com]
    > Sent: Monday, April 02, 2001 11:58 AM
    > To: issforumiss.net
    > Subject: false positives for napster_command_long with sql servers
    >
    > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    > majordomoiss.net Contact issforum-owneriss.net for help with any
    > problems!
    > ----------------------------------------------------------------------------
    >
    > All,
    >
    > two issues here:
    >
    > false positives
    > &
    > is this an attempt to use napster (see below)
    >
    > we are getting false positives for sql transactions
    > using port 1433 from our sql servers to sql servers
    > running people soft.
    >
    > I have confirmed this via user defined events (also
    > ethereal) to see that these were indeed sql packets -
    > usually data transfers.
    >
    > I also see some of the same napster_command_long
    > headed toward our firewall with the port of httpd -
    > which makes me think that these are real attempts to
    > run napster - which I think is blocked at our
    > firewall.
    >
    > Is someone (that is pointed toward our firewall)
    > trying to use napster ?
    >
    > We are running
    >
    > console 5.5.2000.277
    > sensor 5.0.2000.364
    > with sr 1.1 MU 2.2
    >
    > The help for this event sez - no false positives.
    >
    > ISS - Any help ??
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Get email at your own domain with Yahoo! Mail.
    > http://personal.mail.yahoo.com/?.refer=text 

    -- 
Sean Waddell
Network Engineer
The ESP Group
703.418.6314