[Snort-sigs] False positive generated on SID 2329

Jonathon Leszczynski jonalesz at ...2309...
Fri Mar 12 06:50:25 EST 2004


# This is a template for submitting snort signature descriptions to# the
snort.org website## Ensure that your descriptions are your own# and not
the work of others.  References in the rules themselves# should be used
for linking to other's work. ## If you are unsure of some part of a
rule, use that as a commentary# and someone else perhaps will be able to
fix it.# # $Id$##  Rule:  --Sid: 2329 --Summary: (as already
written)--Impact: Serious. (as already written)--Detailed Information:
(as already written)--Affected Systems: (as already written)--Attack
Scenarios: (as already written)--Ease of Attack: (as already
written)--False Positives:  When using ACID, and when ACID does it's
reverse lookups (easier to replicate when many reverse lookups are
occuring.), the returned information appears to SNORT to be this kind of
attack.  When the network is busy, I have been able to replicate this at
will.  The source IP will show up as coming from UDP port 53 from the
DNS in making the "attack".--False Negatives: (as already
written)--Corrective Action: (as already written)--Contributors: (as
already written) plus Jon Leszczynski-- Additional References: (as
already written)Jonathon Leszczynski
MCIT 734-764-5725
JonaLesz at ...2309...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040312/d1b9e4c4/attachment.html>


More information about the Snort-sigs mailing list