[Snort-sigs] False Postive

Rob Lewis roblewis963 at ...12...
Thu Apr 15 06:38:17 EDT 2004


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:  alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB
SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt";
flow:to_server,established; content:"|00|"; offset:0; depth:1;
content:"|FF|SMB|25|"; offset:4; depth:5; content:"|00 00 00 00|";
offset:43; depth:4; reference:cve,CAN-2002-0724;
reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp;
reference:url,www.corest.com/common/showdoc.php?idx=262;
classtype:denial-of-service; sid:2101; rev:4;)

--
Sid: 2101

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives: Script Logic commands can cause this to trigger False
Positives

--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:  length = 127.5

000 : 00 00 00 90 FF 53 4D 42 25 00 00 00 00 18 07 C8   .....SMB%.......
010 : 00 00 88 D1 1C 44 9D 5D FF 7D 00 00 05 C0 78 04   .....D.].}....x.
020 : 02 60 80 0A 10 00 00 00 00 00 00 00 00 00 00 00   .`..............
030 : 00 88 13 00 00 00 00 00 00 90 00 00 00 00 00 02   ................
040 : 00 53 00 00 00 4D 00 00 5C 00 50 00 49 00 50 00   .S...M..\.P.I.P.
050 : 45 00 5C 00 53 00 63 00 72 00 69 00 70 00 74 00   E.\.S.c.r.i.p.t.
060 : 4C 00 6F 00 67 00 69 00 63 00 5F 00 53 00 65 00   L.o.g.i.c._.S.e.
070 : 72 00 76 00 65 00 72 00 5F 00 4E 00 61 00 6D 0   . .`.P. .........




More information about the Snort-sigs mailing list