[Snort-sigs] Possible False Positive in sid:2514?

Joe Stewart jstewart at ...5...
Wed May 19 10:54:04 EDT 2004

On Wednesday 19 May 2004 11:49 am, Michael Sconzo wrote:
> Two of my users here that have triggered sid:2514 (the NETBIOS
> SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt).
> One is managing to triger it while trying to copy over a large
> directory structure to another machine, and the other is using SELM
> to monitor event logs.  Anybody else seeing this?  I have a packet
> capture (extremely large) of the directory copy F.P.

If your Snort version supports the flowbits keyword, this alert could 
not have triggered without an initial LSA_DS bind attempt in the same 
stream. It would be a rare false positive to have an LSA_DS bind 
request followed by a DsRolerUpgradeDownlevelServer request, because 
the standard Windows API can't even put such a request on the wire - 
meaning you would have had to have two different rules false positive 
in the same stream. My first inclination would be to ask if you are 
using Snort 2.1.1 RC1 or better.


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the Snort-sigs mailing list