[Snort-sigs] 2383 FP " NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt"

sekure sekure at ...2420...
Wed Aug 25 09:00:06 EDT 2004

I understand that my report is pretty useless without corraborating
information, but in the interest of security I chose not to distribute
the pcaps to the list, since they contain my IPs and other identifying
information.  I did say that I'll be more than happy to provide the
pcaps to the snort team, but I didn't want to just fire off the email
to you guys (snort/sourcefire), and bypass the list.  I'll send the
pcap to you directly.

I believe it's a false positive because it does not look like an
attack.  It's coming from a desktop, directed to a server (actually
two different servers), but the timing is not consistent with an
attack, rather with normal MS communication.  It's all some fuzzy
logic in my head, call it my gut feeling, but I am pretty sure it's
not an attack, and therefore a False Positive.

On Wed, 25 Aug 2004 11:52:43 -0400, Alex Kirk <alex.kirk at ...435...> wrote:
> Generally speaking, it's nice if you can provide details with a false
> positive report -- like why you think it's a false positive, what (if
> anything) you suspect may be causing it, and pcaps if appropriate. We're
> more than happy to investigate these things, but just saying there's a
> false positive associated with a rule gives us nowhere to even begin.
> BTW, please send whatever details you may have to the list, so that more
> eyes can be looking at them.
> Alex Kirk
> Research Analyst
> Sourcefire, Inc.
> >I am using the newest 2.2 ruleset (as of yesterday) and seeing a fair
> >number of false positives on sid 2383 "NETBIOS SMB-DS DCERPC NTLMSSP
> >asn1 overflow attempt"
> >
> >Anyone else?
> >
> >I can provide pcaps to the snort/sourcefire team if need be.

More information about the Snort-sigs mailing list