Re: Help with a particular alert

[Scott Zawalski <scott.zawalski () web de>]

There is no way for us to tell if it is a false positive without actual 
packet data. Just X out the IPs and post it.

Scott


Paul Martin wrote:

> Ok, this is really bugging me. I've got 2 systems on our network that 
> are continually spewing out something that's tripping this rule:
>
> Sep 17 08:19:55 hgvsnort snort: [1:2382:13] NETBIOS SMB DCERPC NTLMSSP 
> asn1 overflow attempt [Classification: Attempted Administrator 
> Privilege Gain] [Priority: 1]: {TCP} <IP address A>:2622 -> <IP 
> address B>:139
>
>
> I'm familiar with the ASN1 overflow attack, which is why I'm little 
> nervous that I'm seeing it on my network.  Now, both <IP address A> 
> and <IP address B> are internal IPs.  And <IP address B> is always one 
> of 3 systems: both DNS servers, and a random client.  They've got the 
> most current anti-virus and have been scanned for spyware.  What is it 
> that I'm missing?  Could it be a false positive?  I don't really think 
> it is, but I'm open to suggestion at this point.




-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users