[Snort-users] DOS MSDTC attempt false positive

Kenny D bitored2002 at ...3162...
Wed May 8 09:11:21 EDT 2002


Hi,


i am getting numerous DOS false positives such as DOS
MSDTC and DDOS mstream client to handler    where the
source port is 80 and the destination port is 3372 and
12754 respectively. These are return packets from an
established connection ie the destination port is
>1023. I was thinking of writing a pass rule to ignore
alerts where source port is 80 and destination port
>1023. Is this pass rule commonly used or can it make
me vunerable in any way. A way to ignore return
packets in established tcp connections would be
extremely useful. 

I use snort 1.8.6 on redhat 7.2

Rgds,

Kenny.

http://messenger.yahoo.com.au - Yahoo! Messenger
- A great way to communicate long-distance for FREE!




More information about the Snort-users mailing list