[Snort-users] false positives?

Brian bmc at ...950...
Mon Nov 29 10:15:02 EST 2004

On Mon, Nov 29, 2004 at 09:14:32AM -0500, Jeff Schmidt (CACL Tech Asst) wrote:
>  I'm receiving a high number of the following alert:
> "NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt"

Yep, this is known.  I've got an update for this rule that I'm
currently testing.  Look for an update soon.

> Also, I'm getting another alert that appears that it might be related: 
> "NETBIOS SMB-DS IPC$ share unicode access."  Again, is this just snort 
> detecting completely normal traffic?

Yes.  Do NOT disable this rule, unless you plan on disabling nearly
all of the other netbios rules at the same time.  If you don't want to
see alerts from this rule, add a suppression, or add a
"flowbits:noalert;" to the end of the rule.


More information about the Snort-users mailing list