[Snort-sigs] NETBIOS DCERPC ISystemActivator bind attempt

d'Ambly, Jeff jdambly at ...1900...
Fri Sep 26 06:02:09 EDT 2003


Nope some of the servers are not exchange. 

-----Original Message-----
From: Luedke, Mike [mailto:Mike.Luedke at ...1908...] 
Sent: Thursday, September 25, 2003 4:49 PM
To: d'Ambly, Jeff
Subject: RE: [Snort-sigs] NETBIOS DCERPC ISystemActivator bind attempt

Hi Jeff,

I see regular false positives for this rule between Microsoft Exchange
Servers within our enterprise.  By chance, are the source and destination of
your alerts Exchange hosts?


d'Ambly, Jeff wrote:

> Has anyone found a false positive for the NETBIOS DCERPC 
> ISystemActivator bind attempt rule? I have a machine that is constantly 
> matching this rule, but I ran the Symantec tools to look for the MS 
> blast worm and it found nothing.
>




More information about the Snort-sigs mailing list