[Snort-sigs] New SMB_COM_TRANSACTION alerts look pretty "broken"

Jason Haar Jason.Haar at ...651...
Sun Apr 6 15:01:04 EDT 2003


...I say that because the moment I told Snort to alert on them, it triggered
over 1,000 alerts in ~3 min on a 10M WAN link. 

BTW this is the "NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS
Attempt" alert - not the "NETBIOS SMB SMB_COM_TRANSACTION Max Parameter
Count of 0 DOS Attempt" one.

A quick glance seems to show this is triggering on connections from Win2K
clients to both WinNT4 and Win2K servers.

This is under snort 1.9.1

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list