[Snort-sigs] False positives for sid:230

Eric Watkins watkinse at ...2496...
Tue May 18 10:44:03 EDT 2004


Hello,

My system seems to generate quite a few false positives based on the DDOS 
sig 230. After a bit, valid https traffic ends up on a high port and 
triggers this sid.

alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client to 
handler"; flow:established; reference:arachnids,254; 
classtype:attempted-dos; sid:230; rev:2;)

Looking here it appears there are some strings that could be triggered on: 
http://security.royans.net/info/posts/bugtraq_ddos3.shtml

Is there some way to make this sid more specific to the actual traffic data 
rather than just a port connection?

Thanks,

Eric





More information about the Snort-sigs mailing list