[Snort-sigs] False positive with Win2K3 RESKIT tool against sid:2351

Jason Haar Jason.Haar at ...651...
Tue Mar 8 16:52:12 EST 2005

The rule "NETBIOS DCERPC ISystemActivator path overflow attempt little 
endian unicode" triggers whenever we run the Win2K3 RESKIT "sonar" tool.

This tool is described as:

Sonar.exe is a command-line tool that allows administrators to monitor 
key statistics and status about members of a file replication service 
(FRS) replica set. Administrators can use Sonar to watch key statistics 
on a replica set in order to monitor traffic levels, backlogs, and free 

Either sonar is attempting an overflow attempt (which I doubt - it's a 
diagnostic tool - not a vuln scanner), or its a FP.

I have packet captures - but they contain internal host details so I 
won't include them here. Someone from Sourcefire is welcome to ask for 
them (I might even say yes! ;-)


More information about the Snort-sigs mailing list