[Snort-sigs] False alert - update on sid 279
scheidell at ...249...
Fri Apr 26 15:04:03 EDT 2002
I received a false hit/alert on sid 279. looking at packet, it was 8 bytes
long (Not 0)
looking at bugtraq and snort rule, it seems to think that packet size is 0
I suspect that the key 'dsize:0' is the same as not using dsize, and did not
see that used anywhere else, so:
I hope this fix will prevent the false hit in future: (changed dsize:0 to
dsize:<1) changed rev:2 to 3?
alert udp $EXTERNAL_NET any -> $HOME_NET 161 \
(msg:"DOS Bay/Nortel Nautica Marlin"; dsize:<1; reference:bugtraq,1009;\
reference:cve,CVE-2000-0221; classtype:attempted-dos; sid:279; rev:3;)
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
More information about the Snort-sigs