Snort mailing list archives
Re: DOS MSDTC attempt false positive
From: Matt Kettler <mkettler () evi-inc com>
Date: Sat, 11 May 2002 11:51:13 -0400
That would be a bit strange, since the rule in my ruleset at least specifies dsize > 1023. If a genuine MSDTC attack has 0 byte payload that would guarantee that this rule is 100% false.
At 11:22 PM 5/10/2002 -0700, Bill McCarty wrote:
Hi Kenny,As I recall, there was a report on snort-devel or snort-sigs indicating that the dsize=0 in the relevant rule is ignored by Snort. Authentic MSDTC attacks have a zero-byte payload, whereas your port 80 traffic likely does not. You can work around the problem by modifying the rule to specify dsize<1 rather than dsize=0.I recommend that you check the archives of snort-devel and snort-sig before taking my report as gospel. It's late and I'm tired, or I'd check it out rather than merely report it as I've done. Sorry for any inaccuracy or confusion!Cheers,--On Thursday, May 09, 2002 1:36 AM +1000 Kenny D <bitored2002 () yahoo com au> wrote:i am getting numerous DOS false positives such as DOS MSDTC and DDOS mstream client to handler where the source port is 80 and the destination port is 3372 and 12754 respectively.--------------------------------------------------- Bill McCarty _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOS MSDTC attempt false positive Kenny D (May 08)
- Re: DOS MSDTC attempt false positive Matt Kettler (May 08)
- Re: DOS MSDTC attempt false positive Kenny D (May 08)
- Re: DOS MSDTC attempt false positive Roberto Suarez Soto (May 09)
- Re: DOS MSDTC attempt false positive Bill McCarty (May 10)
- Re: DOS MSDTC attempt false positive Matt Kettler (May 11)
- Re: DOS MSDTC attempt false positive Matt Kettler (May 11)
- Re: DOS MSDTC attempt false positive Bill McCarty (May 11)
- Re: DOS MSDTC attempt false positive Matt Kettler (May 08)