[Snort-sigs] Rule FP, possible fix

Giles Coochey giles.coochey at ...2924...
Wed Dec 8 07:30:28 EST 2004

Rule:  alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS
D$ unicode share access"; flow:established,to_server; content:"|00|";
offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5;
byte_test:1,&,128,6,relative; content:"D|00 24 00 00 00|"; nocase;
distance:33; classtype:protocol-command-decode; sid:2469; rev:5;) 
Sid: 1:2469

False Positives:

If you operate a Distributed File System where users are redirected
through to hidden shares which end in D$ (e.g. \\server\shared$) then
this rule would trip.

Possible fix: the last content should probably be something like: "|00
5C 00 53 00 24 00 00|"

More information about the Snort-sigs mailing list