[Snort-sigs] 2383 FP " NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt"
alex.kirk at ...435...
Wed Aug 25 09:13:13 EDT 2004
Well, I can understand your desire for privacy, certainly; my request
for pcaps going to the list was made more as a policy sort of thing --
so that, in essence, we don't end up fragmenting snort-sigs into a
million different private discussions.
Given that your objection seems to rest on privacy, though, have you
seen the -O flag to Snort, which obfuscates IP addresses for
circumstances like this? You could easily just do that; if there's other
identifying information, either just go through with Netdude or another
packet-modifying tool and obfuscate that, or if that's not feasible,
just send them to Sourcefire privately. We don't mind accomodating a
request for privacy like that; like I said, it's more of a general
policy issue that, whenever possible, things should be kept on-list, so
as to not fragment the discussion.
>I understand that my report is pretty useless without corraborating
>information, but in the interest of security I chose not to distribute
>the pcaps to the list, since they contain my IPs and other identifying
>information. I did say that I'll be more than happy to provide the
>pcaps to the snort team, but I didn't want to just fire off the email
>to you guys (snort/sourcefire), and bypass the list. I'll send the
>pcap to you directly.
>I believe it's a false positive because it does not look like an
>attack. It's coming from a desktop, directed to a server (actually
>two different servers), but the timing is not consistent with an
>attack, rather with normal MS communication. It's all some fuzzy
>logic in my head, call it my gut feeling, but I am pretty sure it's
>not an attack, and therefore a False Positive.
>On Wed, 25 Aug 2004 11:52:43 -0400, Alex Kirk <alex.kirk at ...435...> wrote:
>>Generally speaking, it's nice if you can provide details with a false
>>positive report -- like why you think it's a false positive, what (if
>>anything) you suspect may be causing it, and pcaps if appropriate. We're
>>more than happy to investigate these things, but just saying there's a
>>false positive associated with a rule gives us nowhere to even begin.
>>BTW, please send whatever details you may have to the list, so that more
>>eyes can be looking at them.
>>>I am using the newest 2.2 ruleset (as of yesterday) and seeing a fair
>>>number of false positives on sid 2383 "NETBIOS SMB-DS DCERPC NTLMSSP
>>>asn1 overflow attempt"
>>>I can provide pcaps to the snort/sourcefire team if need be.
More information about the Snort-sigs