[Snort-users] Help with a particular alert

Paul Martin pmartin at ...11611...
Fri Sep 17 05:47:00 EDT 2004

Ok, this is really bugging me. I've got 2 systems on our network that 
are continually spewing out something that's tripping this rule:

Sep 17 08:19:55 hgvsnort snort: [1:2382:13] NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} <IP address A>:2622 -> <IP address B>:139

I'm familiar with the ASN1 overflow attack, which is why I'm little 
nervous that I'm seeing it on my network.  Now, both <IP address A> and 
<IP address B> are internal IPs.  And <IP address B> is always one of 3 
systems: both DNS servers, and a random client.  They've got the most 
current anti-virus and have been scanned for spyware.  What is it that 
I'm missing?  Could it be a false positive?  I don't really think it is, 
but I'm open to suggestion at this point.


Paul Martin
Network Technician
Hilton Grand Vacations Co.
(407) 393-3034
pmartin at ...11611...

More information about the Snort-users mailing list