[Snort-sigs] DOS openldap authcid name denial of service attempt triggering one tonnes of AD traffic

Jason Haar Jason.Haar at ...651...
Tue Jul 7 20:59:24 EDT 2009

Joel Esler wrote:
> Instinct would tell me, that if you aren't running OpenLDAP, then to
> shut off the rule, so you don't receive the alerts.

I never said we aren't running OpenLDAP - we are.
>  However, you may want to file an actual False Positive report, so
> that if the rule can be cleaned up in any way, the VRT can do that. 

OK - do you mean email fp at ...957...? It's just that the False Positive
webpage says to send to this list as an option? Now that I think about
it, sending to this list really isn't a good option - as there will
invariably be a requirement for pcaps - which people may not want to
share. Maybe you should remove that option to stop people like me? :-)

> In order to do it though, they will need a full-session
> full-snaplength packet capture.

I'll send that too


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list