[Snort-sigs] FPs from SID:2175 [ NETBIOS SMB winreg access (unicode) ]

Jason Haar Jason.Haar at ...651...
Fri Feb 27 11:00:03 EST 2004

On Fri, Feb 27, 2004 at 10:44:59AM -0500, Brian wrote:
> Oh, those are not false positives.  Those service access each other's
> registries.  In many environments, registry access over the net is
> bad.  Tune your IDS to allow those hosts to access the registry, and
> leave the rule enabled for everything else.

I'd argue with you on that one. It appears to me this rule can trigger on
any form of administrator-level network access - something that happens all
the time from anywhere IMHO... And our network won't be unusual in that
regard (it's like triggering on root-access via SSH)

Snort probably couldn't handle the sizing of a var definition containing all
the IP addresses on our WAN that could have valid reasons to do this action
- no - wait - HOME_NET would do it...

I think I'll just disable it :-)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list