[Snort-users] HELP

Rajesh Patwardhan rpatwardhan at ...12309...
Fri Aug 20 10:17:02 EDT 2004


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
snort-users-request at lists.sourceforge.net
Sent: Friday, August 20, 2004 12:07 AM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #4477 - 1 msg

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Snort-users digest..."

Today's Topics:

   1. Re: Help,  tons of false positive ASN1 overflow attempts. (Sean


Message: 1
Date: Thu, 19 Aug 2004 19:22:56 -0600
From: Sean Brown <sblinux at ...9344...>
Subject: Re: [Snort-users] Help,  tons of false positive ASN1 overflow
To: snort-users at lists.sourceforge.net

On August 19, 2004 12:50 pm, Aharon wrote:
> Pardon my vague message here.  I am a snort newbie!
> I just installed Snort v2.2.0 and the latest signatures inside our 
> network here at work.  Anyway,  everything seems to work great,  
> except for a vast amount of false positive ASN1 warnings.
> I do not want to disable these ASN1 signatures becuase they would be 
> very usefull in finding virus infected PC's throughout our network.  
> Most ASN1 errors seem to be communications between XP clients and 
> windows 2000 and
> 2003 servers.
> For example:
> overflow attempt {tcp}
> .166 is a clean virus free XP client,  and .108 is a Windows 2003
> I am getting literally hundreds of these a second.
> How can I help in figuring out what this issue is?  I can provide any 
> info you need,  just tell me what you need me to do.

NTLMSSP is the NTLM secure service provider. If you have an Active
Directory domain then this will be happening on a regular basis and its
probably nothing to worry about.

-Sean Brown


Snort-users mailing list
Snort-users at lists.sourceforge.net

End of Snort-users Digest

More information about the Snort-users mailing list