Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FP:10995 rev3

From: "Lee Clemens" <snort () leeclemens net>
Date: Wed, 31 Mar 2010 21:44:02 -0400
For anyone watching this thread:

With thanks to Alex and VRT, I have disabled this sid (will be disabled in
future VRT rulesets) and continue to use its SO replacement: 13718


-----Original Message-----
From: Matt Watchinski [mailto:mwatchinski () sourcefire com] 
Sent: Tuesday, March 30, 2010 6:52 PM

Can you provide pcap and snort.conf?  Send to fp () sourcefire com if you don't
want it on list.

Cheers,
-matt


On Tue, Mar 30, 2010 at 4:47 PM, <snort () leeclemens net> wrote:


        Hello,
        
        I believe I a seeing a FP with this BDAT DoS attempt.
        
        The packet being alerted on is SMTP, paylaod length 23, containing
only:
        EHLO <server name> 0D 0A
        
        Is this correct? The rule appears to use content "BDAT", which is
not contained in the server name either.
        
        -Lee
        
        
        
----------------------------------------------------------------------------
--
        Download Intel&#174; Parallel Studio Eval
        Try the new software tools for yourself. Speed compiling, find bugs
        proactively, and fine-tune applications for parallel performance.
        See why Intel Parallel Studio got high marks during beta.
        http://p.sf.net/sfu/intel-sw-dev
        _______________________________________________
        Snort-sigs mailing list
        Snort-sigs () lists sourceforge net
        https://lists.sourceforge.net/lists/listinfo/snort-sigs
        




-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: