<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">


<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 11">
<meta name=Originator content="Microsoft Word 11">
<link rel=File-List href="cid:filelist.xml@...1901...">
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:ValidateAgainstSchemas/>
  <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
  <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
  <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
   <w:UseWord2002TableStyleRules/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:LatentStyles DefLockedState="false" LatentStyleCount="156">
 </w:LatentStyles>
</xml><![endif]-->
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {mso-style-parent:"";
        margin:0in;
        margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:12.0pt;
        font-family:"Times New Roman";
        mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;
        text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;
        text-underline:single;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        mso-style-noshow:yes;
        mso-ansi-font-size:10.0pt;
        mso-bidi-font-size:10.0pt;
        font-family:Arial;
        mso-ascii-font-family:Arial;
        mso-hansi-font-family:Arial;
        mso-bidi-font-family:Arial;
        color:windowtext;}
span.SpellE
        {mso-style-name:"";
        mso-spl-e:yes;}
span.GramE
        {mso-style-name:"";
        mso-gram-e:yes;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;
        mso-header-margin:.5in;
        mso-footer-margin:.5in;
        mso-paper-source:0;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */ 
 table.MsoNormalTable
        {mso-style-name:"Table Normal";
        mso-tstyle-rowband-size:0;
        mso-tstyle-colband-size:0;
        mso-style-noshow:yes;
        mso-style-parent:"";
        mso-padding-alt:0in 5.4pt 0in 5.4pt;
        mso-para-margin:0in;
        mso-para-margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:10.0pt;
        font-family:"Times New Roman";
        mso-ansi-language:#0400;
        mso-fareast-language:#0400;
        mso-bidi-language:#0400;}
</style>
<![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple style='tab-interval:.5in'>

<div class=Section1>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Has anyone found a false positive for the NETBIOS DCERPC <span
class=SpellE>ISystemActivator</span> bind attempt rule? I have a machine that
is constantly matching this rule, but I ran the Symantec tools to look for the
MS blast worm and it found nothing.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Here is what my rule looks like<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>alert <span class=SpellE>tcp</span> any <span class=SpellE>any</span>
-> any 135 (<span class=SpellE>msg:"NETBIOS</span> DCERPC <span
class=SpellE>ISystemActivator</span> bind attempt"; <span class=SpellE>flow:to_server,established</span>;
content:"|05|"; distance:0; within:1; content:"|0b|";
distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 <span
class=SpellE>00</span> <span class=SpellE>00</span> <span class=SpellE>00</span>
<span class=SpellE>00</span> <span class=SpellE>00</span> C0 00 <span
class=SpellE>00</span> <span class=SpellE>00</span> <span class=SpellE>00</span>
<span class=SpellE>00</span> <span class=SpellE>00</span> 46|";
distance:29; within:16; reference:cve,CAN-2003-0352; <span class=SpellE>classtype:attempted</span>-admin;
sid:2192; rev:1;)<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>and</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> here is the
packet that was captured, could this be normal traffic?<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>05 00 0B 03 10 00 <span class=SpellE>00</span> <span
class=SpellE>00</span> 7C 00 2C 00 02 00 <span class=SpellE>00</span> <span
class=SpellE>00</span><span style='mso-spacerun:yes'>   </span>........|<span
class=GramE>.,.....</span><o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>D0 16 D0 16 59 08 01 00 01 00 <span class=SpellE>00</span> <span
class=SpellE>00</span> 01 00 01 00<span style='mso-spacerun:yes'>  
</span>....Y...........<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>A0 01 00 <span class=SpellE>00</span> <span class=SpellE>00</span>
<span class=SpellE>00</span> <span class=SpellE>00</span> <span class=SpellE>00</span>
C0 00 <span class=SpellE>00</span> <span class=SpellE>00</span> <span
class=SpellE>00</span> <span class=SpellE>00</span> <span class=SpellE>00</span>
46<span style='mso-spacerun:yes'>   </span>...............F<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>00 <span class=SpellE>00</span> <span class=SpellE>00</span>
<span class=SpellE>00</span> 04 5D 88 8A EB 1C C9 11 9F E8 08 00<span
style='mso-spacerun:yes'>   </span>.....]..........<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>2B 10 48 60 02 00 <span class=SpellE>00</span> <span
class=SpellE>00</span> 0A 02 00 <span class=SpellE>00</span> D0 5B 0B 00<span
style='mso-spacerun:yes'>   </span>+.H`<span class=GramE>.........[</span>..<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>4E 54 4C 4D 53 <span class=SpellE>53</span> 50 00 01 00 <span
class=SpellE>00</span> <span class=SpellE>00</span> 07 B2 00 A0<span
style='mso-spacerun:yes'>   </span>NTLMSSP.........<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>03 00 03 00 29 00 <span class=SpellE>00</span> <span
class=SpellE>00</span> 09 00 09 00 20 00 <span class=SpellE>00</span> <span
class=SpellE>00</span><span style='mso-spacerun:yes'>   </span>....)....... ...<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>46 49 53 48 42 4F 57 4C 31 44 45 56<span
style='mso-spacerun:yes'>     </span><span
style='mso-spacerun:yes'>          </span>FISHBOWL1DEV <o:p></o:p></span></font></p>

</div>

</body>

</html>