[Snort-users] false positives?

Jeff Schmidt (CACL Tech Asst) schmidje at ...11869...
Mon Nov 29 06:22:01 EST 2004


Hello,
  I'm receiving a high number of the following alert: " nessusnessus[cve 
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0818>][icat 
<http://icat.nist.gov/icat.cfm?cvename=2003-0818>][bugtraq 
<http://www.securityfocus.com/bid/9635>][bugtraq 
<http://www.securityfocus.com/bid/9633>][snort 
<http://www.snort.org/snort-db/sid.html?sid=2383>] NETBIOS SMB-DS DCERPC 
NTLMSSP asn1 overflow attempt"

 From the alert description, it would appear to be a virus or worm of 
some sort that is attempting to infect our Active Directory server. 
However, we have up-to-date virus protection (Symantec A/V 9 with 
up-to-date virus defs) on all our workstations, and a scan of any of the 
workstations does not report any threats detected. So, I'm wondering if 
this alert is possibly a false positive that is just detecting normal 
windows network activity between our workstations and our domain server? 
I should note that the destination address of these alerts is *always* 
the AD server and never any other machine. Is it safe to turn off this 
detection rule?

Also, I'm getting another alert that appears that it might be related: 
"NETBIOS SMB-DS IPC$ share unicode access."  Again, is this just snort 
detecting completely normal traffic?

Jeff Schmidt







More information about the Snort-users mailing list