[Snort-sigs] DOS openldap authcid name denial of service attempt triggering one tonnes of AD traffic
Jason.Haar at ...651...
Tue Jul 7 00:06:17 EDT 2009
I finally rolled out the so_rules today onto our "test" production site
and the thing immediately started triggering FPs on Windows clients
talking to Active Directory domain controllers.
As y'all know, AD domain controllers are LDAP-enabled and Windows
routinely uses LDAP to pass information between "the domain" and its
members. I ended up with 240 events within a 30 minute period, involving
Anyway, as 3:13416 is meant to catch a bug from 2006 OpenLDAP - it's a
This is using 2.8.4 with rules updated today. I can send some hex-dumps
if you want it
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs