[Snort-sigs] False positive on rule SID 2403 NETBIOS SMB Session Setup AndX request unicode username overflow attempt

Matthew Watchinski mwatchinski at ...435...
Wed Aug 4 11:26:02 EDT 2004

Hum attached pcap is for 2404, but you are correct this causes a false 
positive.  These rules will be updated shortly, as it looks like some 
smb packets with Extended Security, SPNEGO or NTLMSSP auth set this off.


Joseph Gama wrote:

>Thank you for the excellent work done with Snort!
>I am affraid that rule 2403 creates false positives.
>If fires everytime I use Windows Explorer to browse
>shared directories in our network. Attached is a
>captured packet that fired the rule.
>Best regards,
>Joseph Gama
>Do you Yahoo!?
>New and Improved Yahoo! Mail - 100MB free storage!

More information about the Snort-sigs mailing list