[Snort-sigs] False positive on "DDOS mstream handler to client"

Christiaan Ehlers christiaan.ehlers at ...3312...
Fri Aug 3 15:24:56 EDT 2007


I found a false positive for rule "classtype:attempted-dos; sid:248; rev:4;".  The trigger was an RTP packet that uses random high ports which happend to be 12754.  Since the RTP data is pretty much random as well it also contained the string ">".

Payload of my packet:
length = 30

000 : 03 00 00 1E 22 C0 00 02 04 80 13 4C 00 C3 26 1C   ...."......L..&.
010 : FA 40 3E 00 C3 26 1C FA 40 3F 03 00 01 00         .@>..&..@?....
As stated this was from a Cisco Voip gateway to a software call agent.
Kind Regards
Christiaan Ehlers



This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager. Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check
this email and any attachments for the presence of viruses. The
company accepts no liability for any damage caused by any virus
transmitted by this email.

Inclarity Ltd.

Registered Office: Olympic Office Centre, Fulton Road, Wembley, 
Middlesex, HA9 0NU
Telephone: + 44 (0)845 698 0800
Fax: + 44 (0)845 698 1000

Registered Company No. 02673204


More information about the Snort-sigs mailing list