[Snort-sigs] DDOS Shaft Client Rule and False Postives

Mark markmormartin at ...1934...
Wed May 26 07:11:03 EDT 2004


I saw last week there was some discussions in relation to false
positives on this rule


alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client
to handler"; flow:established; reference:arachnids,254;
classtype:attempted-dos; sid:230; rev:2;)



would this rule not be better written by instead of using established to
use the to_server keyword, or would it be better to modify it to be like
the SCAN Proxy rule but modify it to look for syn packets on port 20432

Mark




More information about the Snort-sigs mailing list