[Snort-sigs] False positives for sid:230
watkinse at ...2496...
Tue May 18 10:44:03 EDT 2004
My system seems to generate quite a few false positives based on the DDOS
sig 230. After a bit, valid https traffic ends up on a high port and
triggers this sid.
alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client to
handler"; flow:established; reference:arachnids,254;
classtype:attempted-dos; sid:230; rev:2;)
Looking here it appears there are some strings that could be triggered on:
Is there some way to make this sid more specific to the actual traffic data
rather than just a port connection?
More information about the Snort-sigs