[Snort-sigs] FP on "NETBIOS name query overflow attempt UDP"

Jason Haar Jason.Haar at ...651...
Tue Mar 1 18:44:28 EST 2005


sid:3196 under Snort-2.3.0

This triggered on a normal transaction between a client and an Win2K3 
Active Directory Domain Controller on our network. False Positive as far 
as I can tell.

 length = 100

000 : 08 92 40 00 00 01 00 00 00 00 00 01 20 45 4A 45   .. at ...1488... EJE
010 : 4D 45 50 44 49 44 41 44 42 44 48 45 4C 45 4B 45   MEPDIDADBDHELEKE
020 : 4F 46 4B 44 44 46 41 43 41 43 41 41 41 00 00 20   OFKDDFACACAAA.. 
030 : 00 01 20 45 4A 45 4D 45 50 44 49 44 41 44 42 44   .. EJEMEPDIDADBD
040 : 48 45 4C 45 4B 45 4F 46 4B 44 44 46 41 43 41 43   HELEKEOFKDDFACAC
050 : 41 41 41 00 00 20 00 01 00 04 93 E0 00 06 20 00   AAA.. ........ .
060 : 0A 08 92 83                                       ....


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-sigs mailing list