Snort mailing list archives
Re: FP:10995 rev3
From: "Lee Clemens" <snort () leeclemens net>
Date: Wed, 31 Mar 2010 21:44:02 -0400
For anyone watching this thread: With thanks to Alex and VRT, I have disabled this sid (will be disabled in future VRT rulesets) and continue to use its SO replacement: 13718 -----Original Message----- From: Matt Watchinski [mailto:mwatchinski () sourcefire com] Sent: Tuesday, March 30, 2010 6:52 PM Can you provide pcap and snort.conf? Send to fp () sourcefire com if you don't want it on list. Cheers, -matt On Tue, Mar 30, 2010 at 4:47 PM, <snort () leeclemens net> wrote: Hello, I believe I a seeing a FP with this BDAT DoS attempt. The packet being alerted on is SMTP, paylaod length 23, containing only: EHLO <server name> 0D 0A Is this correct? The rule appears to use content "BDAT", which is not contained in the server name either. -Lee ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs -- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- FP:10995 rev3 snort (Mar 30)
- Re: FP:10995 rev3 Matt Watchinski (Mar 30)
- Re: FP:10995 rev3 Lee Clemens (Mar 31)
- Re: FP:10995 rev3 Matt Watchinski (Mar 30)