[Snort-sigs] DDOS false positive

Nigel Houghton nigel at ...435...
Sat Dec 27 21:09:04 EST 2003

Around Yesterday Bryan Irvine said:

BI :I need help trying to troubleshoot a suspected false positive with the
BI :DDOS mstream client handler rule.

Which SID is generating the event? (there is more than one concerning the
mstream client/handler conversations)

BI :According to the signature db, there aren't any known false positives,
BI :but I seem to be getting a bunch when people go the autoconnect (now
BI :autotrader) website.

Are they using a proxy?

BI :What should I look for to troubleshoot and report this?

Try to capture some of the offending packets and look through them for
data that might cause the rule(s) to generate an event. Use Snort or
Ethereal (tethereal) or whatever you prefer. If possible, share your
findings with folks on the list.

BI :--Bryan

Nigel Houghton        Security Research Engineer        Sourcefire Inc.
                     Vulnerability Research Team

"In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr."

More information about the Snort-sigs mailing list