[Snort-sigs] SID 466 - False Positive

Michael Stenzel m.stenzel at ...2391...
Fri Apr 9 08:54:09 EDT 2004


Sid: 466
Message: ICMP L3retriever Ping

This Rule has a false positive, Windows Xp with Servicepack 2 RC1 generates 
this message while accessing a Samba Netbios Share ...

Here's my ACID Output ...
---snip---
Generated by ACID v0.9.6b23 on Thu,  8 Apr 2004 15:26:50 +0200

------------------------------------------------------------------------------
#(2 - 71) [2004-04-08 15:13:03] [arachNIDS/311] [snort/466]  ICMP L3retriever 
Ping
IPv4: 192.168.0.191 -> 192.168.0.1
      hlen=5 TOS=0 dlen=60 ID=35 flags=0 offset=0 TTL=32 chksum=6286
ICMP: type=Echo Request code=0
      checksum=19550 id= seq=
Payload:  length = 32

000 : 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50   ABCDEFGHIJKLMNOP
010 : 51 52 53 54 55 56 57 41 42 43 44 45 46 47 48 49   QRSTUVWABCDEFGHI
------

this was a fresh installed Windows Xp Servicepack 2 RC1 in Vmware ;)

Hope i could be helpful

best regards

Michael Stenzel
-- 
GPG Public Key fingerprint:
DD6C 37A5 D428 1AD8 212F  6B7D 6843 F63E 2DA5 5AF5




More information about the Snort-sigs mailing list