Snort mailing list archives
Re: Help with a particular alert
From: Scott Zawalski <scott.zawalski () web de>
Date: Mon, 20 Sep 2004 09:29:42 -0700
There is no way for us to tell if it is a false positive without actual packet data. Just X out the IPs and post it.
Scott Paul Martin wrote:
Ok, this is really bugging me. I've got 2 systems on our network that are continually spewing out something that's tripping this rule:Sep 17 08:19:55 hgvsnort snort: [1:2382:13] NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} <IP address A>:2622 -> <IP address B>:139I'm familiar with the ASN1 overflow attack, which is why I'm little nervous that I'm seeing it on my network. Now, both <IP address A> and <IP address B> are internal IPs. And <IP address B> is always one of 3 systems: both DNS servers, and a random client. They've got the most current anti-virus and have been scanned for spyware. What is it that I'm missing? Could it be a false positive? I don't really think it is, but I'm open to suggestion at this point.
------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with a particular alert Paul Martin (Sep 17)
- Re: Help with a particular alert Scott Zawalski (Sep 20)
- Re: Help with a particular alert Paul Martin (Sep 20)
- <Possible follow-ups>
- RE: Help with a particular alert Esler, Joel - Contractor (Sep 17)
- Re: Help with a particular alert Scott Zawalski (Sep 20)