[Snort-sigs] False +VE for NETBIOS DCERPC IActivation little endian bind attempt,Sig ID,3276

Russell Fulton r.fulton at ...575...
Thu Jun 30 15:59:16 EDT 2005


These FPs are caused by traffic to our Erricson PABX directory server.

It would be nice if the rules could be tweaked so this traffic does not trip them.

Russell

META
--------
SID	CID	TimeStamp		Signature
2	27770	2005-06-30 10:51:32	NETBIOS DCERPC IActivation little endian bind attempt
Sig ID
3276

Sensor Hostname				Sensor Interface
monitor-tmk.insec.auckland.ac.nz	Tamaki sector switch

IP
--------
Source Address	Dest Address	Ver	Hdr Len
130.216.4.36	130.216.3.28	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	173	29404	2	0	127	31614

Resolved Source
l.dmello.cls.auckland.ac.nz

Resolved Dest
dnaserver.itss.auckland.ac.nz 

TCP
--------
Source Port	Dest Port	Seq		Ack		
1804		135		1405542048	156113527
Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
5	0		24	64240	65443		0

Options
--------
None


Flags
--------
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X	X				

DATA
--------
05000B03100000008500	..........
350050000000D016D016	5.P.......
00000000010000000100	..........
0100B84A9F4D1C7DCF11	...J.M.}..
861E0020AF6E7C570000	... .n|W..
0000045D888AEB1CC911	...]......
9FE808002B1048600200	....+.H`..
00000A020000582A0C00	......X*..
4E544C4D535350000100	NTLMSSP...
000007B208A007000700	..........
2E0000000E000E002000	........ .
00003430394131323954	..409A129T
454C454F505355414954	ELEOPSUAIT
4E4554	NET

DATA
--------
..........5.P....................J.M.}..... .n|W.....]......
....+.H`........X*..NTLMSSP..................... ...409A129T
ELEOPSUAITNET




More information about the Snort-sigs mailing list