[Snort-users] DOS MSDTC attempt false positive

Bill McCarty bmccarty at ...5196...
Fri May 10 23:23:02 EDT 2002

Hi Kenny,

As I recall, there was a report on snort-devel or snort-sigs indicating 
that the dsize=0 in the relevant rule is ignored by Snort. Authentic MSDTC 
attacks have a zero-byte payload, whereas your port 80 traffic likely does 
not. You can work around the problem by modifying the rule to specify 
dsize<1 rather than dsize=0.

I recommend that you check the archives of snort-devel and snort-sig before 
taking my report as gospel. It's late and I'm tired, or I'd check it out 
rather than merely report it as I've done. Sorry for any inaccuracy or 


--On Thursday, May 09, 2002 1:36 AM +1000 Kenny D 
<bitored2002 at ...3162...> wrote:

> i am getting numerous DOS false positives such as DOS
> MSDTC and DDOS mstream client to handler    where the
> source port is 80 and the destination port is 3372 and
> 12754 respectively.

Bill McCarty

More information about the Snort-users mailing list