[Snort-sigs] no references to MS04-011 in 2.1 NetBIOS ruleset?

Jason Haar Jason.Haar at ...651...
Sun May 2 18:21:02 EDT 2004

On Sun, May 02, 2004 at 08:49:16PM -0400, Martin Roesch wrote:
> SID 2466 will detect infected hosts attempting to access an 
> administrative share on a Windows based machine. This rule will 
> generate events due to Sasser worm activity in 2.1.x and above.

"NETBIOS SMB-DS IPC$ share unicode access" triggers like mad on our network
- and it ain't due to Sasser - I had to disable that rule during test
phase...  e.g. all our Exchange servers trigger this rule every time they
talk to domain controllers...

Due to the amount of remote administration we do on our WAN, I have to
disable all "this is an administrative-attach" type rules. 20,000 alerts in
24 hours really classifies this as a "false positive" :-)

> >The CURRENT ruleset does have references, so any idea when they become
> >"official"?
> They're "official" in that they're out in CURRENT, dunno why they 
> haven't been backported in the 2.1 snapshot unless there's an issue 
> with flowbits functionality in 2.1.2+, I'll ask Caswell.

This terminology of CURRENT is really confusing. I just went through this in
snort-sigs. "CURRENT" actually means "beta", and "snapshot-2.1" is
actually "current". Is that correct? You saying "backported" implies
"snapshot-2.1" is somehow "old" - now I'm really confused... :-)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list