NetMeeting DoS Benign trigger?

robert.mcclain · ‎11-27-2001

I have seen this alarm appear on my map. I am using the 3.0 version on the Sensor and 2.2.3 on the Director.

The source was my webserver, out to an unknown machine.

My server is an NT 4.0 with all the fixings applied..i.e Svc paks, Security roll-ups etc. It doesn't have NetMeeting installed. Is there a way to trigger this alarm or was this server some sort of go between?

marcabal · ‎11-27-2001

Refer to: CSCdv34104

Symptom:

Normal Web Traffic is causing the firing of the 3453 "MS NetMeeting RDS

DoS" signature in version 3.0(1)S6 and 3.0(1)S7 versions of the IDS

sensor appliance.

Condition:

The signature is looking for packets with NULL bytes being sent to port

1720. Port 1720 is a high port whihc may be randomly chosen by web

browsers to connect to port 80 of the Web Server (or other web ports).

If the web server response contains packets with NULL bytes then the

signature will fire causing a false positive.

This can also happen if any other type of client chooses port 1720 to

begin a connection and the service port it connects to sends back NULL

bytes.

WorkAround:

Exclude Web Servers which are causing this signature to False Positive

or disable the signature until it can be fixed by our development teams.

Also the signature was incorrectly placed in as a level 3 signature when

the NSDB is correct in listing it as a level 2 signature.

Lowering the signature will not stop the False Positives but would prevent

it from showing on the management console by default.