[Snort-sigs] SID 2404, NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt

Nigel Houghton nigel at ...435...
Wed Jun 23 11:32:03 EDT 2004

On  0, Lance Boon <lboon at ...2573...> allegedly wrote:
> I've got a question on SID 2404 NETBIOS SMB-DS Session Setup AndX
> request unicode username overflow attempt. According to the Snort
> Signature Database it says that "This event is generated when an attempt
> is made to exploit a known vulnerability in ISS RealSecure and BlackICE
> products." Why would this be alerting on traffic from a Windows 2003
> Server to a Windows XP Pro workstation, both patched to the latest
> service packs and hot fixes? I also have this alert triggering on
> traffic from Windows 2003 to Windows 2000 Pro machines as well. I don't
> have ISS RealSecure or BlackICE running on any of these systems.

Just because you don't use those pieces of software doesn't mean that you
will never see traffic that might trip a rule or possibly exploit a
condition if that software were to exist on your network. What you may
have is a false positive condition occuring. What we need is more detail
on what exactly is making the rule generate an event. i.e. packet data

Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

More information about the Snort-sigs mailing list