[Snort-sigs] DOS openldap authcid name denial of service attempt triggering one tonnes of AD traffic
eslerj at ...2420...
Wed Jul 8 08:21:27 EDT 2009
On Tue, Jul 7, 2009 at 8:59 PM, Jason Haar <Jason.Haar at ...651...> wrote:
> Joel Esler wrote:
> > Instinct would tell me, that if you aren't running OpenLDAP, then to
> > shut off the rule, so you don't receive the alerts.
> I never said we aren't running OpenLDAP - we are.
Well, you said you were running Active Directory.
> > However, you may want to file an actual False Positive report, so
> > that if the rule can be cleaned up in any way, the VRT can do that.
> OK - do you mean email fp at ...957...? It's just that the False Positive
> webpage says to send to this list as an option? Now that I think about
> it, sending to this list really isn't a good option - as there will
> invariably be a requirement for pcaps - which people may not want to
> share. Maybe you should remove that option to stop people like me? :-)
research [at] sourcefi...com (you know what goes in the rest)
Make sure you fill out a good bug report, include full session pcaps, etc.
As you said, don't send your pcaps to the list :) But the reason we point
people to the list first is because sometimes it's not a false positive and
we just need to help people out a bit.
> > In order to do it though, they will need a full-session
> > full-snaplength packet capture.
> I'll send that too
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs