[Snort-sigs] DOS openldap authcid name denial of service attempt triggering one tonnes of AD traffic

Jason Haar Jason.Haar at ...651...
Tue Jul 7 00:06:17 EDT 2009

Hi there

I finally rolled out the so_rules today onto our "test" production site
and the thing immediately started triggering FPs on Windows clients
talking to Active Directory domain controllers.

As y'all know, AD domain controllers are LDAP-enabled and Windows
routinely uses LDAP to pass information between "the domain" and its
members. I ended up with 240 events within a 30 minute period, involving
50 hosts!

Anyway, as 3:13416 is meant to catch a bug from 2006 OpenLDAP - it's a
FP :-)

This is using 2.8.4 with rules updated today. I can send some hex-dumps
if you want it


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list