[Snort-sigs] Suspected false +ve.

Mark Rainer mgeorgec at ...662...
Wed Jun 9 12:48:49 EDT 2004


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
?

--
Sid: 1408

--
Summary:

--
Impact:
Download apparently aborted.

--
Detailed Information:
Example from Snort log (two of approx 60+)

Date: 06/07 08:29:43 Name: DOS MSDTC attempt 
Priority: 2 Type: Attempted Denial of Service 
IP info: 194.83.57.15:20 -> 81.168.101.189:3372 
References: none found SID: 1408 
 
Date: 06/07 08:29:43 Name: DOS MSDTC attempt 
Priority: 2 Type: Attempted Denial of Service 
IP info: 194.83.57.15:20 -> 81.168.101.189:3372 
References: none found SID: 1408 
 

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
I believe this was a false positive because I was approx 14 hours into a 
20 hour file transfer/download from the IP quoted.

--
False Negatives:

--
Corrective Action:
Restarted download.

--
Contributors:
Mark Rainer

-- 
Additional References:






More information about the Snort-sigs mailing list