[Snort-sigs] False +VE for NETBIOS DCERPC IActivation little endian bind attempt,Sig ID,3276
r.fulton at ...575...
Thu Jun 30 17:01:20 EDT 2005
Joel Esler wrote:
> Are you sure this is a false positive? The Signature is lookin for the
> little endian bind in RPC.. This looks to be that.
Thanks for checking this out. I freely admit I would not reconise a "little endian bind in RPC" if it danced naked in front of me singing "Waltzing Matilda" :) as one of my colleagues used to say -- usually in reference to managers.
I do know that this is legit traffic, and since this rule does not have any documentation that I can find I'm at a loss to know what to make of it. I may as well disable the rule. AFAIK both machines are windows boxes.
More information about the Snort-sigs