[Snort-sigs] DOS openldap authcid name denial of service attempt triggering one tonnes of AD traffic

Joel Esler eslerj at ...2420...
Tue Jul 7 08:55:20 EDT 2009


Instinct would tell me, that if you aren't running OpenLDAP, then to shut
off the rule, so you don't receive the alerts.  However, you may want to
file an actual False Positive report, so that if the rule can be cleaned up
in any way, the VRT can do that.
In order to do it though, they will need a full-session full-snaplength
packet capture.

J

On Tue, Jul 7, 2009 at 12:06 AM, Jason Haar <Jason.Haar at ...651...>wrote:

> Hi there
>
> I finally rolled out the so_rules today onto our "test" production site
> and the thing immediately started triggering FPs on Windows clients
> talking to Active Directory domain controllers.
>
> As y'all know, AD domain controllers are LDAP-enabled and Windows
> routinely uses LDAP to pass information between "the domain" and its
> members. I ended up with 240 events within a 30 minute period, involving
> 50 hosts!
>
> Anyway, as 3:13416 is meant to catch a bug from 2006 OpenLDAP - it's a
> FP :-)
>
> This is using 2.8.4 with rules updated today. I can send some hex-dumps
> if you want it
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited time,
> vendors submitting new applications to BlackBerry App World(TM) will have
> the opportunity to enter the BlackBerry Developer Challenge. See full prize
> details at: http://p.sf.net/sfu/blackberry
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090707/5336e00a/attachment.html>


More information about the Snort-sigs mailing list