[Snort-sigs] 2383 FP " NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt"

Alex Kirk alex.kirk at ...435...
Wed Aug 25 09:13:13 EDT 2004

Well, I can understand your desire for privacy, certainly; my request 
for pcaps going to the list was made more as a policy sort of thing -- 
so that, in essence, we don't end up fragmenting snort-sigs into a 
million different private discussions.

Given that your objection seems to rest on privacy, though, have you 
seen the -O flag to Snort, which obfuscates IP addresses for 
circumstances like this? You could easily just do that; if there's other 
identifying information, either just go through with Netdude or another 
packet-modifying tool and obfuscate that, or if that's not feasible, 
just send them to Sourcefire privately. We don't mind accomodating a 
request for privacy like that; like I said, it's more of a general 
policy issue that, whenever possible, things should be kept on-list, so 
as to not fragment the discussion.

Alex Kirk
Research Analyst
Sourcefire, Inc.

>I understand that my report is pretty useless without corraborating
>information, but in the interest of security I chose not to distribute
>the pcaps to the list, since they contain my IPs and other identifying
>information.  I did say that I'll be more than happy to provide the
>pcaps to the snort team, but I didn't want to just fire off the email
>to you guys (snort/sourcefire), and bypass the list.  I'll send the
>pcap to you directly.
>I believe it's a false positive because it does not look like an
>attack.  It's coming from a desktop, directed to a server (actually
>two different servers), but the timing is not consistent with an
>attack, rather with normal MS communication.  It's all some fuzzy
>logic in my head, call it my gut feeling, but I am pretty sure it's
>not an attack, and therefore a False Positive.
>On Wed, 25 Aug 2004 11:52:43 -0400, Alex Kirk <alex.kirk at ...435...> wrote:
>>Generally speaking, it's nice if you can provide details with a false
>>positive report -- like why you think it's a false positive, what (if
>>anything) you suspect may be causing it, and pcaps if appropriate. We're
>>more than happy to investigate these things, but just saying there's a
>>false positive associated with a rule gives us nowhere to even begin.
>>BTW, please send whatever details you may have to the list, so that more
>>eyes can be looking at them.
>>Alex Kirk
>>Research Analyst
>>Sourcefire, Inc.
>>>I am using the newest 2.2 ruleset (as of yesterday) and seeing a fair
>>>number of false positives on sid 2383 "NETBIOS SMB-DS DCERPC NTLMSSP
>>>asn1 overflow attempt"
>>>Anyone else?
>>>I can provide pcaps to the snort/sourcefire team if need be.

More information about the Snort-sigs mailing list