[Snort-sigs] Possible False Positive in sid:2514?
jstewart at ...5...
Wed May 19 10:54:04 EDT 2004
On Wednesday 19 May 2004 11:49 am, Michael Sconzo wrote:
> Two of my users here that have triggered sid:2514 (the NETBIOS
> SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt).
> One is managing to triger it while trying to copy over a large
> directory structure to another machine, and the other is using SELM
> to monitor event logs. Anybody else seeing this? I have a packet
> capture (extremely large) of the directory copy F.P.
If your Snort version supports the flowbits keyword, this alert could
not have triggered without an initial LSA_DS bind attempt in the same
stream. It would be a rare false positive to have an LSA_DS bind
request followed by a DsRolerUpgradeDownlevelServer request, because
the standard Windows API can't even put such a request on the wire -
meaning you would have had to have two different rules false positive
in the same stream. My first inclination would be to ask if you are
using Snort 2.1.1 RC1 or better.
Joe Stewart, GCIH
Senior Security Researcher
More information about the Snort-sigs