[Snort-sigs] 2383 FP " NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt"

Alex Kirk alex.kirk at ...435...
Wed Aug 25 08:49:20 EDT 2004

Generally speaking, it's nice if you can provide details with a false 
positive report -- like why you think it's a false positive, what (if 
anything) you suspect may be causing it, and pcaps if appropriate. We're 
more than happy to investigate these things, but just saying there's a 
false positive associated with a rule gives us nowhere to even begin.

BTW, please send whatever details you may have to the list, so that more 
eyes can be looking at them.

Alex Kirk
Research Analyst
Sourcefire, Inc.

>I am using the newest 2.2 ruleset (as of yesterday) and seeing a fair
>number of false positives on sid 2383 "NETBIOS SMB-DS DCERPC NTLMSSP
>asn1 overflow attempt"
>Anyone else?
>I can provide pcaps to the snort/sourcefire team if need be.
>SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
>100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
>Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list