[Snort-sigs] Suspected False Positives - SID 2102

Jeff Oliveto joliveto at ...1262...
Thu Apr 3 13:43:02 EST 2003


Running Snort 1.9.1 and Demarc 1.6.  
 
Just updated Snort Signatures on some sensors this morning, getting
many, what I believe, are false positives on new SID 2102 "NETBIOS SMB
SMB_COM_TRANCTION Max Data Count of 0 DOS Attempt".  Seeing on two
different networks.  The source in both instance of packet captures
provided below are trusted hosts.  
 
Comments?  
 
 
00 00 00 76 FF 53 4D 42 25 00 00 00 00 18 07 D8   ...v.SMB%.......
00 00 00 00 00 00 00 00 00 00 00 00 00 10 F8 00   ................
00 18 00 01 0E 1A 00 00 00 08 00 68 10 00 00 00   ...........h....
00 88 13 00 00 00 00 1A 00 5C 00 00 00 00 00 00   .........\......
00 37 00 00 5C 00 50 00 49 00 50 00 45 00 5C 00   .7..\.P.I.P.E.\.
4C 00 41 00 4E 00 4D 00 41 00 4E 00 00 00 00 00   L.A.N.M.A.N.....
68 00 57 72 4C 65 68 44 4F 00 42 31 36 42 42 44   h.WrLehDO.B16BBD
7A 00 01 00 68 10 FF FF FF FF                     z...h.....
 
 
 
00 00 00 9C FF 53 4D 42 25 00 00 00 00 18 07 C8   .....SMB%.......
00 00 00 00 00 00 00 00 00 00 00 00 00 20 EC 00   ............. ..
03 30 80 02 10 00 00 48 00 00 00 00 04 00 00 00   .0.....H........
00 00 00 00 00 00 00 00 00 54 00 48 00 54 00 02   .........T.H.T..
00 26 00 01 40 59 00 05 5C 00 50 00 49 00 50 00
<mailto:.&.. at ...1424...\.P.I.P> .&.. at ...1424...\.P.I.P.
45 00 5C 00 00 00 64 00 05 00 0B 03 10 00 00 00   E.\...d.........
48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00   H...............
01 00 00 00 00 00 01 00 98 D0 FF 6B 12 A1 10 36   ...........k...6
98 33 01 28 92 02 01 62 00 00 00 00 04 5D 88 8A   .3.(...b.....]..
EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00   ........+.H`....


Jeff Oliveto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030403/78094bb6/attachment.html>


More information about the Snort-sigs mailing list