[Snort-users] DOS MSDTC attempt false positive

Roberto Suarez Soto robe at ...3881...
Thu May 9 01:26:03 EDT 2002


On May/09, Kenny D wrote:

> I was thinking of writing a pass rule to ignore
> alerts where source port is 80 and destination port
> >1023.

	I've simply added a pass rule for connections from 80 on a external
host to 3372 on some of the local hosts (i.e., the web proxy). It works, and I
don't think I'm being much more vulnerable by ignoring these connections.
Besides, the 3372 is closed on the firewall by default, so that's another
reason to be sure about that :-)

-- 
Roberto Suarez Soto					Alfa21 Outsourcing
    robe at ...3881...				     http://www.alfa21.com




More information about the Snort-users mailing list