[Snort-sigs] DDOS false positive

Knut Bjornstad kbjo at ...1893...
Mon Dec 29 04:37:00 EST 2003

On Sat, Dec 27, 2003 at 11:08:33PM -0600, Nigel Houghton wrote:
> Around Yesterday Bryan Irvine said:
> BI :I need help trying to troubleshoot a suspected false positive with the
> BI :DDOS mstream client handler rule.
> Which SID is generating the event? (there is more than one concerning the
> mstream client/handler conversations)

According to my testing, SID 247 "DDOS mstream client to handler"
gives lots of false positives, since it merely checks on the occurence
of the character ">" plus port 12754 in TCP connections. Since Snort
tend to fail on the direction of connections, this will react to all
sorts of traffic containing the character where the ephemeral port is

SID 249 :"DDOS mstream client to handler" and SID 230 "DDOS shaft client
to handler" have similar problems.

My tests was conducted in connection with my GCIA practical this summer which
should be available at http://www.giac.org/GCIA.php (but isn't just now - I
hope they fix it soon)
--Knut Bjornstad -- ErgoIntegration AS ---Oslo, Norway-------
--kbjo at ...1893... -- t:47 23 14 53 36 -- mob: 901 15 917 --

More information about the Snort-sigs mailing list