[Snort-sigs] FP on "NETBIOS DCERPC Remote Activation bind attempt"

Jason Haar Jason.Haar at ...651...
Mon Mar 15 12:36:59 EST 2004


[Boy, nothing like an upgrade to bring out the reports! ;-)]

I'm getting quite a few FPs on "NETBIOS DCERPC Remote Activation bind
attempt" - SID: 2251

It's only triggering on an old NT4 server of ours - probably quite unpatched
for some time. The clients will be Win2K or WinXP. So far we've had four
different clients trigger this alert - all to the same host.

The details about 2251 seem quite adamant that this rule doesn't have FPs,
but I think otherwise.

This is under Snort-2.1.1.

Here's the packet as shown within ACID

length = 72

000 : 05 00 0B 03 10 00 00 00 48 00 00 00 03 00 00 00   ........H.......
010 : D0 16 D0 16 EF EA 00 00 01 00 00 00 02 00 01 00   ................
020 : B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57   .J.M.}..... .n|W
030 : 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00   .....]..........
040 : 2B 10 48 60 02 00 00 00                           +.H....


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list