[Snort-sigs] False positive on rule SID 2403 NETBIOS SMB Session Setup AndX request unicode username overflow attempt
mwatchinski at ...435...
Wed Aug 4 11:26:02 EDT 2004
Hum attached pcap is for 2404, but you are correct this causes a false
positive. These rules will be updated shortly, as it looks like some
smb packets with Extended Security, SPNEGO or NTLMSSP auth set this off.
Joseph Gama wrote:
>Thank you for the excellent work done with Snort!
>I am affraid that rule 2403 creates false positives.
>If fires everytime I use Windows Explorer to browse
>shared directories in our network. Attached is a
>captured packet that fired the rule.
>Do you Yahoo!?
>New and Improved Yahoo! Mail - 100MB free storage!
More information about the Snort-sigs