[Snort-sigs] DDOS mstream handler to client

Ian Macdonald secsnortsigs at ...644...
Mon Aug 12 06:56:07 EDT 2002


This a look into the mstream signatures. I started looking at these
signatures because of false positives from src port 15104 to dst 443.

alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to
handler"; content: ">"; flags: A+; reference:cve,CAN-2000-0138;
classtype:attempted-dos; sid:247; rev:1;)

alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to
client"; content: ">"; flags: A+;reference:cve,CAN-2000-0138;
classtype:attempted-dos; sid:248; rev:1;)

alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to
client"; content: ">"; flags: A+; reference:cve,CAN-2000-0138;
classtype:attempted-dos; sid:250; rev:1;)

I assume that this rule is supposed to detect the prompt from the client to
the server as described in
http://ciac.llnl.gov/ciac/bulletins/k-037.shtml.



More information about the Snort-sigs mailing list