[Snort-users] false positives?
Jeff Schmidt (CACL Tech Asst)
schmidje at ...11869...
Mon Nov 29 06:22:01 EST 2004
I'm receiving a high number of the following alert: " nessusnessus[cve
<http://www.snort.org/snort-db/sid.html?sid=2383>] NETBIOS SMB-DS DCERPC
NTLMSSP asn1 overflow attempt"
From the alert description, it would appear to be a virus or worm of
some sort that is attempting to infect our Active Directory server.
However, we have up-to-date virus protection (Symantec A/V 9 with
up-to-date virus defs) on all our workstations, and a scan of any of the
workstations does not report any threats detected. So, I'm wondering if
this alert is possibly a false positive that is just detecting normal
windows network activity between our workstations and our domain server?
I should note that the destination address of these alerts is *always*
the AD server and never any other machine. Is it safe to turn off this
Also, I'm getting another alert that appears that it might be related:
"NETBIOS SMB-DS IPC$ share unicode access." Again, is this just snort
detecting completely normal traffic?
More information about the Snort-users