[Snort-sigs] DOS openldap authcid name denial of service attempt triggering one tonnes of AD traffic

Joel Esler eslerj at ...2420...
Wed Jul 8 08:21:27 EDT 2009


On Tue, Jul 7, 2009 at 8:59 PM, Jason Haar <Jason.Haar at ...651...> wrote:

> Joel Esler wrote:
> > Instinct would tell me, that if you aren't running OpenLDAP, then to
> > shut off the rule, so you don't receive the alerts.
>
> I never said we aren't running OpenLDAP - we are.
>

Well, you said you were running Active Directory.



> >  However, you may want to file an actual False Positive report, so
> > that if the rule can be cleaned up in any way, the VRT can do that.
>
> OK - do you mean email fp at ...957...? It's just that the False Positive
> webpage says to send to this list as an option? Now that I think about
> it, sending to this list really isn't a good option - as there will
> invariably be a requirement for pcaps - which people may not want to
> share. Maybe you should remove that option to stop people like me? :-)
>

research [at] sourcefi...com  (you know what goes in the rest)

Make sure you fill out a good bug report, include full session pcaps, etc.

As you said, don't send your pcaps to the list :)  But the reason we point
people to the list first is because sometimes it's not a false positive and
we just need to help people out a bit.

J


>
>
> >
> > In order to do it though, they will need a full-session
> > full-snaplength packet capture.
>
> I'll send that too
>
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>


-- 
joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090708/220f34e3/attachment.html>


More information about the Snort-sigs mailing list