[Snort-sigs] False alert - update on sid 279

Michael Scheidell scheidell at ...249...
Fri Apr 26 15:04:03 EDT 2002


I received a false hit/alert on sid 279.  looking at packet, it was 8 bytes
long (Not 0)
looking at bugtraq and snort rule, it seems to think that packet size is 0
for problems.

I suspect that the key 'dsize:0' is the same as not using dsize, and did not
see that used anywhere else, so:

I hope this fix will prevent the false hit in future: (changed dsize:0 to
dsize:<1) changed rev:2 to 3?

alert udp $EXTERNAL_NET any -> $HOME_NET 161 \
(msg:"DOS Bay/Nortel Nautica Marlin"; dsize:<1; reference:bugtraq,1009;\
reference:cve,CVE-2000-0221; classtype:attempted-dos; sid:279; rev:3;)

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
http://www.secnap.net





More information about the Snort-sigs mailing list