[Snort-users] DOS MSDTC attempt false positive

Matt Kettler mkettler at ...4108...
Sat May 11 08:49:02 EDT 2002


That would be a bit strange, since the rule in my ruleset at least 
specifies dsize > 1023. If a genuine MSDTC attack has 0 byte payload that 
would guarantee that this rule is 100% false.


At 11:22 PM 5/10/2002 -0700, Bill McCarty wrote:
>Hi Kenny,
>
>As I recall, there was a report on snort-devel or snort-sigs indicating 
>that the dsize=0 in the relevant rule is ignored by Snort. Authentic MSDTC 
>attacks have a zero-byte payload, whereas your port 80 traffic likely does 
>not. You can work around the problem by modifying the rule to specify 
>dsize<1 rather than dsize=0.
>
>I recommend that you check the archives of snort-devel and snort-sig 
>before taking my report as gospel. It's late and I'm tired, or I'd check 
>it out rather than merely report it as I've done. Sorry for any inaccuracy 
>or confusion!
>
>Cheers,
>
>--On Thursday, May 09, 2002 1:36 AM +1000 Kenny D 
><bitored2002 at ...3162...> wrote:
>
>>i am getting numerous DOS false positives such as DOS
>>MSDTC and DDOS mstream client to handler    where the
>>source port is 80 and the destination port is 3372 and
>>12754 respectively.
>
>---------------------------------------------------
>Bill McCarty
>
>_______________________________________________________________
>
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list