[Snort-users] Help, tons of false positive ASN1 overflow attempts.

Sean Brown sblinux at ...9344...
Thu Aug 19 18:33:10 EDT 2004


On August 19, 2004 12:50 pm, Aharon wrote:
> Pardon my vague message here.  I am a snort newbie!
>
> I just installed Snort v2.2.0 and the latest signatures inside our network
> here at work.  Anyway,  everything seems to work great,  except for a vast
> amount of false positive ASN1 warnings.
>
> I do not want to disable these ASN1 signatures becuase they would be very
> usefull in finding virus infected PC's throughout our network.  Most ASN1
> errors seem to be communications between XP clients and windows 2000 and
> 2003 servers.
>
> For example:
> 0.01	1 	172.16.221.166 	10.33.1.108 NETBIOS SMB DCERPC NTLMSSP asn1
> overflow attempt {tcp}
>
> .166 is a clean virus free XP client,  and .108 is a Windows 2003 server.
> I am getting literally hundreds of these a second.
>
> How can I help in figuring out what this issue is?  I can provide any info
> you need,  just tell me what you need me to do.

NTLMSSP is the NTLM secure service provider. If you have an Active Directory 
domain then this will be happening on a regular basis and its probably 
nothing to worry about.

-Sean Brown




More information about the Snort-users mailing list