[Dshield] Could this be done ?

John Sage jsage at finchhaven.com
Sun Sep 15 01:29:43 GMT 2002

<full disclosure mode=on>

On Wed, Sep 11, 2002 at 12:07:12PM -0700, John Draper wrote:
> >Interesting. I have a question posted on the snort list right now
> >that concerns an RPC false positive:
> There was a whole section and discussion at the Orlando SANS conf in Apr.
> on the false positive problem with RPC.
> The snort people are definately aware of it.    Not sure what they've done about it yet.

The "false postive" I saw, and about the next three people who read
posts about the "false positive" all missed the colon ( : ) after the
digits "32770" thus making the rule affect all ports 32770 and

Thus my "false positive" wasn't :-/

An extra fiver in Chris Green's pay packet for paying enough attention
to finally notice what we weren't seeing, and Erek Adams and I are
going to get together sometime Real Soon Now(tm) to take our
self-imposed three drink penalty...

(see: http://www.theadamsfamily.net/~erek/snort/drinking_game.txt )

</full disclosure mode=off>

/* sigh */

- John
"Obviously, we do not want to leave zombies around."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

More information about the list mailing list