[Dshield] Could this be done ?
jsage at finchhaven.com
Sun Sep 15 01:29:43 GMT 2002
<full disclosure mode=on>
On Wed, Sep 11, 2002 at 12:07:12PM -0700, John Draper wrote:
> >Interesting. I have a question posted on the snort list right now
> >that concerns an RPC false positive:
> There was a whole section and discussion at the Orlando SANS conf in Apr.
> on the false positive problem with RPC.
> The snort people are definately aware of it. Not sure what they've done about it yet.
The "false postive" I saw, and about the next three people who read
posts about the "false positive" all missed the colon ( : ) after the
digits "32770" thus making the rule affect all ports 32770 and
Thus my "false positive" wasn't :-/
An extra fiver in Chris Green's pay packet for paying enough attention
to finally notice what we weren't seeing, and Erek Adams and I are
going to get together sometime Real Soon Now(tm) to take our
self-imposed three drink penalty...
(see: http://www.theadamsfamily.net/~erek/snort/drinking_game.txt )
</full disclosure mode=off>
/* sigh */
"Obviously, we do not want to leave zombies around."
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
More information about the list