Snort mailing list archives
Re: FP:10995 rev3
From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Tue, 30 Mar 2010 18:52:19 -0400
Can you provide pcap and snort.conf? Send to fp () sourcefire com if you don't want it on list. Cheers, -matt On Tue, Mar 30, 2010 at 4:47 PM, <snort () leeclemens net> wrote:
Hello, I believe I a seeing a FP with this BDAT DoS attempt. The packet being alerted on is SMTP, paylaod length 23, containing only: EHLO <server name> 0D 0A Is this correct? The rule appears to use content "BDAT", which is not contained in the server name either. -Lee ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- FP:10995 rev3 snort (Mar 30)
- Re: FP:10995 rev3 Matt Watchinski (Mar 30)
- Re: FP:10995 rev3 Lee Clemens (Mar 31)
- Re: FP:10995 rev3 Matt Watchinski (Mar 30)