Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DOS MSDTC attempt false positive

From: Bill McCarty <bmccarty () apu edu>
Date: Fri, 10 May 2002 23:22:13 -0700
Hi Kenny,
As I recall, there was a report on snort-devel or snort-sigs indicating that the dsize=0 in the relevant rule is ignored by Snort. Authentic MSDTC attacks have a zero-byte payload, whereas your port 80 traffic likely does not. You can work around the problem by modifying the rule to specify dsize<1 rather than dsize=0.
I recommend that you check the archives of snort-devel and snort-sig before taking my report as gospel. It's late and I'm tired, or I'd check it out rather than merely report it as I've done. Sorry for any inaccuracy or confusion! 

Cheers,
--On Thursday, May 09, 2002 1:36 AM +1000 Kenny D <bitored2002 () yahoo com au> wrote: 


i am getting numerous DOS false positives such as DOS
MSDTC and DDOS mstream client to handler    where the
source port is 80 and the destination port is 3372 and
12754 respectively.


---------------------------------------------------
Bill McCarty

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: