attwell at ...461...
Fri Nov 24 13:45:02 EST 2000
Getting false positives for the following rule.
alert TCP any any -> any 12754 (msg:"DDos - mstream client to handler"; flags: PA; content: ">"; )
High traffic web servers sending to clients will sometimes match port 12754, since html also contains
">" and continuation packets are flagged "PA".
Anyone have more information on the mstream DDos and perhaps a more specific rule to catch it.
Or is everyone just disabling this alert :)
5520 Research Park Drive
Madison, WI 53711
attwell at ...460...
Berbee... putting the E in business.
More information about the Snort-users