[Snort-users] snort.alert.2000.

Simon Attwell attwell at ...461...
Fri Nov 24 13:45:02 EST 2000


Getting false positives for the following rule.
alert TCP any any -> any 12754 (msg:"DDos - mstream client to handler"; flags: PA; content: ">"; )

High traffic web servers sending to clients will sometimes match port 12754, since html also contains
">" and continuation packets are flagged "PA".

Anyone have more information on the mstream DDos and perhaps a more specific rule to catch it.
Or is everyone just disabling this alert :)

	- Simon

Simon Attwell
Systems Engineer
5520 Research Park Drive
Madison, WI 53711
attwell at ...460...

Berbee... putting the E in business.

More information about the Snort-users mailing list