Snort mailing list archives
DOS MSDTC attempt false positive
From: Kenny D <bitored2002 () yahoo com au>
Date: Thu, 9 May 2002 01:36:40 +1000 (EST)
Hi, i am getting numerous DOS false positives such as DOS MSDTC and DDOS mstream client to handler where the source port is 80 and the destination port is 3372 and 12754 respectively. These are return packets from an established connection ie the destination port is
1023. I was thinking of writing a pass rule to ignore
alerts where source port is 80 and destination port
1023. Is this pass rule commonly used or can it make
me vunerable in any way. A way to ignore return packets in established tcp connections would be extremely useful. I use snort 1.8.6 on redhat 7.2 Rgds, Kenny. http://messenger.yahoo.com.au - Yahoo! Messenger - A great way to communicate long-distance for FREE! _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOS MSDTC attempt false positive Kenny D (May 08)
- Re: DOS MSDTC attempt false positive Matt Kettler (May 08)
- Re: DOS MSDTC attempt false positive Kenny D (May 08)
- Re: DOS MSDTC attempt false positive Roberto Suarez Soto (May 09)
- Re: DOS MSDTC attempt false positive Bill McCarty (May 10)
- Re: DOS MSDTC attempt false positive Matt Kettler (May 11)
- Re: DOS MSDTC attempt false positive Matt Kettler (May 11)
- Re: DOS MSDTC attempt false positive Bill McCarty (May 11)
- Re: DOS MSDTC attempt false positive Matt Kettler (May 08)