[Snort-sigs] FPs from SID:2175 [ NETBIOS SMB winreg access (unicode) ]

Jason Haar Jason.Haar at ...651...
Thu Feb 26 18:46:02 EST 2004

I am getting hits all over the place for:

alert tcp any any -> any 139 (msg:"NETBIOS SMB winreg access (unicode)";
flow:to_server,established; content:"|00|"; offset:0; depth:1;
content:"|FF|SMB|a2|"; offset:4; depth:5;
content:"\\|00|w|00|i|00|n|00|r|00|e|00|g|00|"; nocase; offset:85;
classtype:attempted-recon; sid:2175; rev:1;)

I'd say I'm seeing False Positives on this typically between domain
controllers, exchange to exchange, and users who have mounted a remote share
as local administrator (we have development boys in one site who administer
servers in another site). I can't tell you exactly what they are doing to
trigger the rule - but it's all valid traffic...


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list