[Snort-users] DOS MSDTC attempt false positive

Bill McCarty bmccarty at ...5196...
Fri May 10 23:23:02 EDT 2002


Hi Kenny,

As I recall, there was a report on snort-devel or snort-sigs indicating 
that the dsize=0 in the relevant rule is ignored by Snort. Authentic MSDTC 
attacks have a zero-byte payload, whereas your port 80 traffic likely does 
not. You can work around the problem by modifying the rule to specify 
dsize<1 rather than dsize=0.

I recommend that you check the archives of snort-devel and snort-sig before 
taking my report as gospel. It's late and I'm tired, or I'd check it out 
rather than merely report it as I've done. Sorry for any inaccuracy or 
confusion!

Cheers,

--On Thursday, May 09, 2002 1:36 AM +1000 Kenny D 
<bitored2002 at ...3162...> wrote:

> i am getting numerous DOS false positives such as DOS
> MSDTC and DDOS mstream client to handler    where the
> source port is 80 and the destination port is 3372 and
> 12754 respectively.

---------------------------------------------------
Bill McCarty




More information about the Snort-users mailing list