[Snort-users] Help with a particular alert

Esler, Joel - Contractor joel.esler at ...9426...
Fri Sep 17 07:12:08 EDT 2004

You know I saw a couple of those recently as well.  Hm..

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Paul
Sent: Friday, September 17, 2004 8:43 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Help with a particular alert

Ok, this is really bugging me. I've got 2 systems on our network that 
are continually spewing out something that's tripping this rule:

Sep 17 08:19:55 hgvsnort snort: [1:2382:13] NETBIOS SMB DCERPC NTLMSSP
asn1 overflow attempt [Classification: Attempted Administrator Privilege
Gain] [Priority: 1]: {TCP} <IP address A>:2622 -> <IP address B>:139

I'm familiar with the ASN1 overflow attack, which is why I'm little 
nervous that I'm seeing it on my network.  Now, both <IP address A> and 
<IP address B> are internal IPs.  And <IP address B> is always one of 3 
systems: both DNS servers, and a random client.  They've got the most 
current anti-virus and have been scanned for spyware.  What is it that 
I'm missing?  Could it be a false positive?  I don't really think it is,

but I'm open to suggestion at this point.


Paul Martin
Network Technician
Hilton Grand Vacations Co.
(407) 393-3034
pmartin at ...11611...

This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list