[Snort-users] DOS MSDTC attempt false positive
mkettler at ...4108...
Sat May 11 08:49:02 EDT 2002
That would be a bit strange, since the rule in my ruleset at least
specifies dsize > 1023. If a genuine MSDTC attack has 0 byte payload that
would guarantee that this rule is 100% false.
At 11:22 PM 5/10/2002 -0700, Bill McCarty wrote:
>As I recall, there was a report on snort-devel or snort-sigs indicating
>that the dsize=0 in the relevant rule is ignored by Snort. Authentic MSDTC
>attacks have a zero-byte payload, whereas your port 80 traffic likely does
>not. You can work around the problem by modifying the rule to specify
>dsize<1 rather than dsize=0.
>I recommend that you check the archives of snort-devel and snort-sig
>before taking my report as gospel. It's late and I'm tired, or I'd check
>it out rather than merely report it as I've done. Sorry for any inaccuracy
>--On Thursday, May 09, 2002 1:36 AM +1000 Kenny D
><bitored2002 at ...3162...> wrote:
>>i am getting numerous DOS false positives such as DOS
>>MSDTC and DDOS mstream client to handler where the
>>source port is 80 and the destination port is 3372 and
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users