[Snort-sigs] False +VE for NETBIOS DCERPC IActivation little endian bind attempt,Sig ID,3276

Joel Esler eslerj at ...2420...
Thu Jun 30 16:33:07 EDT 2005


Are you sure this is a false positive?  The Signature is lookin for  
the little endian bind in RPC..  This looks to be that.

Joel


On Jun 30, 2005, at 6:56 PM, Russell Fulton wrote:

> These FPs are caused by traffic to our Erricson PABX directory server.
>
> It would be nice if the rules could be tweaked so this traffic does  
> not trip them.
>
> Russell
>
> META
> --------
> SID    CID    TimeStamp        Signature
> 2    27770    2005-06-30 10:51:32    NETBIOS DCERPC IActivation  
> little endian bind attempt
> Sig ID
> 3276
>
> Sensor Hostname                Sensor Interface
> monitor-tmk.insec.auckland.ac.nz    Tamaki sector switch
>
> IP
> --------
> Source Address    Dest Address    Ver    Hdr Len
> 130.216.4.36    130.216.3.28    4    5
> TOS    length    ID    flags    offset    TTL    chksum
> 0    173    29404    2    0    127    31614
>
> Resolved Source
> l.dmello.cls.auckland.ac.nz
>
> Resolved Dest
> dnaserver.itss.auckland.ac.nz
> TCP
> --------
> Source Port    Dest Port    Seq        Ack
> 1804        135        1405542048    156113527
> Offset    Reserved    Flags    Window    Checksum    Urgent Ptr
> 5    0        24    64240    65443        0
>
> Options
> --------
> None
>
>
> Flags
> --------
> RB 1    RB 0    URG    ACK    PSH    RST    SYN    FIN
>             X    X
>
> DATA
> --------
> 05000B03100000008500    ..........
> 350050000000D016D016    5.P.......
> 00000000010000000100    ..........
> 0100B84A9F4D1C7DCF11    ...J.M.}..
> 861E0020AF6E7C570000    ... .n|W..
> 0000045D888AEB1CC911    ...]......
> 9FE808002B1048600200    ....+.H`..
> 00000A020000582A0C00    ......X*..
> 4E544C4D535350000100    NTLMSSP...
> 000007B208A007000700    ..........
> 2E0000000E000E002000    ........ .
> 00003430394131323954    ..409A129T
> 454C454F505355414954    ELEOPSUAIT
> 4E4554    NET
>
> DATA
> --------
> ..........5.P....................J.M.}..... .n|W.....]......
> ....+.H`........X*..NTLMSSP..................... ...409A129T
> ELEOPSUAITNET
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list