[Snort-sigs] False +VE for NETBIOS DCERPC IActivation little endian bind attempt,Sig ID,3276

Russell Fulton r.fulton at ...575...
Thu Jun 30 17:01:20 EDT 2005


Joel Esler wrote:
> Are you sure this is a false positive?  The Signature is lookin for  the 
> little endian bind in RPC..  This looks to be that.
> 

Hi Joel,
	Thanks for checking this out. I freely admit I would not reconise a "little endian bind in RPC" if it danced naked in front of me singing "Waltzing Matilda" :) as one of my colleagues used to say -- usually in reference to managers.

I do know that this is legit traffic, and since this rule does not have any documentation that I can find I'm at a loss to know what to make of it.  I may as well disable the rule. AFAIK both machines are windows boxes. 

Russell.




More information about the Snort-sigs mailing list