[Snort-users] DOS MSDTC attempt false positive

Matt Kettler mkettler at ...4108...
Sat May 11 08:49:02 EDT 2002

That would be a bit strange, since the rule in my ruleset at least 
specifies dsize > 1023. If a genuine MSDTC attack has 0 byte payload that 
would guarantee that this rule is 100% false.

At 11:22 PM 5/10/2002 -0700, Bill McCarty wrote:
>Hi Kenny,
>As I recall, there was a report on snort-devel or snort-sigs indicating 
>that the dsize=0 in the relevant rule is ignored by Snort. Authentic MSDTC 
>attacks have a zero-byte payload, whereas your port 80 traffic likely does 
>not. You can work around the problem by modifying the rule to specify 
>dsize<1 rather than dsize=0.
>I recommend that you check the archives of snort-devel and snort-sig 
>before taking my report as gospel. It's late and I'm tired, or I'd check 
>it out rather than merely report it as I've done. Sorry for any inaccuracy 
>or confusion!
>--On Thursday, May 09, 2002 1:36 AM +1000 Kenny D 
><bitored2002 at ...3162...> wrote:
>>i am getting numerous DOS false positives such as DOS
>>MSDTC and DDOS mstream client to handler    where the
>>source port is 80 and the destination port is 3372 and
>>12754 respectively.
>Bill McCarty
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list