[Snort-sigs] False positive with Win2K3 RESKIT tool against sid:2351

Brian Caswell bmc at ...95...
Tue Mar 8 21:08:37 EST 2005

Please send it to me.  hopefully you have full session...?


On Mar 8, 2005, at 7:51 PM, Jason Haar wrote:

> The rule "NETBIOS DCERPC ISystemActivator path overflow attempt little 
> endian unicode" triggers whenever we run the Win2K3 RESKIT "sonar" 
> tool.
> This tool is described as:
> Sonar.exe is a command-line tool that allows administrators to monitor 
> key statistics and status about members of a file replication service 
> (FRS) replica set. Administrators can use Sonar to watch key 
> statistics on a replica set in order to monitor traffic levels, 
> backlogs, and free space.
> Either sonar is attempting an overflow attempt (which I doubt - it's a 
> diagnostic tool - not a vuln scanner), or its a FP.
> I have packet captures - but they contain internal host details so I 
> won't include them here. Someone from Sourcefire is welcome to ask for 
> them (I might even say yes! ;-)
> Jason
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real 
> users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list