[Snort-sigs] False positive on rule SID 2403 NETBIOS SMB Session Setup AndX request unicode username overflow attempt

Matthew Watchinski mwatchinski at ...435...
Wed Aug 4 11:26:02 EDT 2004


Hum attached pcap is for 2404, but you are correct this causes a false 
positive.  These rules will be updated shortly, as it looks like some 
smb packets with Extended Security, SPNEGO or NTLMSSP auth set this off.

Cheers,
-matt 

Joseph Gama wrote:

>Hello,
>
>Thank you for the excellent work done with Snort!
>
>I am affraid that rule 2403 creates false positives.
>If fires everytime I use Windows Explorer to browse
>shared directories in our network. Attached is a
>captured packet that fired the rule.
>
>Best regards,
>
>Joseph Gama
>
>
>	
>		
>__________________________________
>Do you Yahoo!?
>New and Improved Yahoo! Mail - 100MB free storage!
>http://promotions.yahoo.com/new_mail 
>





More information about the Snort-sigs mailing list