Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Rules » False positive with SID = 1408

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

False positive with SID = 1408


Posted by BruceBriggs on April 05, 2005 06:45:27

SID = 1408 DOS MSDTC attempt

False positive:
source port = 443
dest port = 3372

This is a reply packet to a client ($HOME_NET) from a web server ($EXTERNAL_NET) using HTTPS.

Posted by nigel on April 05, 2005 09:38:35

That's right, it probably is a false positive, since the rule only looks at the datagram size and port this may occur once in a while. In order to cause the DoS condition you only have to send 1024 bytes of data (nothing special at all) to port 3372.

Check the affected systems section in the doc for the rule, if you are not affected you can safely ignore this event and maybe even disable the rule.

Posted by BruceBriggs on April 05, 2005 11:17:55

Yup, already did that.
Just trying to be a good Snort citizen and post helpful info.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.