[Snort-users] DOS MSDTC attempt false positive

Bill McCarty bmccarty at ...5196...
Sat May 11 19:29:02 EDT 2002

Yes, I've got it wrong. In the clarity of daylight, I find that I've 
confused the "DOS MSDTC" signature with the "DOS Bay/Nortel Nautica 
Marlin." The latter is apparently subject to false positives due to the 
problem I mentioned.

Sorry for the false lead!

--On Saturday, May 11, 2002 11:55 AM -0400 Matt Kettler 
<mkettler at ...4108...> wrote:

> Actualy I just checked with bugtraq, this exploit takes at least 1024
> bytes of data to cause the crash so the "0 bytes" idea bill had is a red
> herring. The rule is valid as it stands with dsize >1023.
> http://online.securityfocus.com/bid/4006/discussion/

Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management
Azusa Pacific University

More information about the Snort-users mailing list