[Snort-sigs] Possible False Positive on SID 2383

Nigel Houghton nigel at ...435...
Thu Aug 19 08:08:10 EDT 2004

On  0, Lance Boon <lboon at ...2573...> allegedly wrote:
> I've just upgrade to Snort 2.2.0 from 2.1.3, using the rules that came
> with the 2.2.0 tarball, I notice what appears to be false positives on
> SID 2383. From as far as I can tell it's normal traffic from either
> Windows 2000 pro workstations, Windows XP pro workstations communicating
> to a Windows 2003 domain controller. I have a capture of the traffic
> available for analysis.
> Lance

Well, first make sure your $HOME_NET and $EXTERNAL_NET are set correctly. Then
please send your pcap along for analysis.

       Nigel Houghton       Research Engineer        Sourcefire Inc.
                       Vulnerability Research Team
  "Dude, dolphins are intelligent and friendly!" - Wendy
  "Intelligent and friendly on rye bread, with some mayonaise." - Cartman

More information about the Snort-sigs mailing list