[Snort-sigs] FPs from SID:2175 [ NETBIOS SMB winreg access (unicode) ]

Brian bmc at ...95...
Fri Feb 27 07:56:07 EST 2004


On Fri, Feb 27, 2004 at 03:35:33PM +1300, Jason Haar wrote:
> I'd say I'm seeing False Positives on this typically between domain
> controllers, exchange to exchange, and users who have mounted a remote share
> as local administrator (we have development boys in one site who administer
> servers in another site). I can't tell you exactly what they are doing to
> trigger the rule - but it's all valid traffic...

Oh, those are not false positives.  Those service access each other's
registries.  In many environments, registry access over the net is
bad.  Tune your IDS to allow those hosts to access the registry, and
leave the rule enabled for everything else.

Brian




More information about the Snort-sigs mailing list