[Snort-sigs] New SMB_COM_TRANSACTION alerts look pretty "broken"

Jason Haar Jason.Haar at ...651...
Sun Apr 6 15:01:04 EDT 2003

...I say that because the moment I told Snort to alert on them, it triggered
over 1,000 alerts in ~3 min on a 10M WAN link. 

BTW this is the "NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS
Attempt" alert - not the "NETBIOS SMB SMB_COM_TRANSACTION Max Parameter
Count of 0 DOS Attempt" one.

A quick glance seems to show this is triggering on connections from Win2K
clients to both WinNT4 and Win2K servers.

This is under snort 1.9.1


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list