[Snort-sigs] DDOS false positive

Nigel Houghton nigel at ...435...
Mon Dec 29 06:40:01 EST 2003

Around 1:35pm Knut Bjornstad said:

KB :On Sat, Dec 27, 2003 at 11:08:33PM -0600, Nigel Houghton wrote:
KB :> Around Yesterday Bryan Irvine said:
KB :>
KB :> BI :I need help trying to troubleshoot a suspected false positive with the
KB :> BI :DDOS mstream client handler rule.
KB :>
KB :> Which SID is generating the event? (there is more than one concerning the
KB :> mstream client/handler conversations)
KB :>
KB :
KB :According to my testing, SID 247 "DDOS mstream client to handler"
KB :gives lots of false positives, since it merely checks on the occurence
KB :of the character ">" plus port 12754 in TCP connections. Since Snort
KB :tend to fail on the direction of connections, this will react to all
KB :sorts of traffic containing the character where the ephemeral port is
KB :12754.
KB :
KB :SID 249 :"DDOS mstream client to handler" and SID 230 "DDOS shaft client
KB :to handler" have similar problems.
KB :
KB :My tests was conducted in connection with my GCIA practical this summer which
KB :should be available at http://www.giac.org/GCIA.php (but isn't just now - I
KB :hope they fix it soon)

Thank you for your input, I look forward to reading your paper. Do you
have any recommendations for improving the rule(s) based on your
practical work?

Nigel Houghton        Security Research Engineer        Sourcefire Inc.
                     Vulnerability Research Team

"In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr."

More information about the Snort-sigs mailing list