[Snort-sigs] False positive with Win2K3 RESKIT tool against sid:2351
Jason.Haar at ...651...
Tue Mar 8 16:52:12 EST 2005
The rule "NETBIOS DCERPC ISystemActivator path overflow attempt little
endian unicode" triggers whenever we run the Win2K3 RESKIT "sonar" tool.
This tool is described as:
Sonar.exe is a command-line tool that allows administrators to monitor
key statistics and status about members of a file replication service
(FRS) replica set. Administrators can use Sonar to watch key statistics
on a replica set in order to monitor traffic levels, backlogs, and free
Either sonar is attempting an overflow attempt (which I doubt - it's a
diagnostic tool - not a vuln scanner), or its a FP.
I have packet captures - but they contain internal host details so I
won't include them here. Someone from Sourcefire is welcome to ask for
them (I might even say yes! ;-)
More information about the Snort-sigs