[Snort-users] Help with a particular alert

Scott Zawalski scott.zawalski at ...5689...
Mon Sep 20 09:31:05 EDT 2004

There is no way for us to tell if it is a false positive without actual 
packet data. Just X out the IPs and post it.


Paul Martin wrote:

> Ok, this is really bugging me. I've got 2 systems on our network that 
> are continually spewing out something that's tripping this rule:
> Sep 17 08:19:55 hgvsnort snort: [1:2382:13] NETBIOS SMB DCERPC NTLMSSP 
> asn1 overflow attempt [Classification: Attempted Administrator 
> Privilege Gain] [Priority: 1]: {TCP} <IP address A>:2622 -> <IP 
> address B>:139
> I'm familiar with the ASN1 overflow attack, which is why I'm little 
> nervous that I'm seeing it on my network.  Now, both <IP address A> 
> and <IP address B> are internal IPs.  And <IP address B> is always one 
> of 3 systems: both DNS servers, and a random client.  They've got the 
> most current anti-virus and have been scanned for spyware.  What is it 
> that I'm missing?  Could it be a false positive?  I don't really think 
> it is, but I'm open to suggestion at this point.

More information about the Snort-users mailing list