Snort mailing list archives
HELP
From: "Rajesh Patwardhan" <rpatwardhan () intellitactics com>
Date: Fri, 20 Aug 2004 11:15:28 -0600
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort-users-request () lists sourceforge net Sent: Friday, August 20, 2004 12:07 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #4477 - 1 msg Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Help, tons of false positive ASN1 overflow attempts. (Sean Brown) --__--__-- Message: 1 Date: Thu, 19 Aug 2004 19:22:56 -0600 From: Sean Brown <sblinux () shaw ca> Subject: Re: [Snort-users] Help, tons of false positive ASN1 overflow attempts. To: snort-users () lists sourceforge net On August 19, 2004 12:50 pm, Aharon wrote:
Pardon my vague message here. I am a snort newbie! I just installed Snort v2.2.0 and the latest signatures inside our network here at work. Anyway, everything seems to work great, except for a vast amount of false positive ASN1 warnings. I do not want to disable these ASN1 signatures becuase they would be very usefull in finding virus infected PC's throughout our network. Most ASN1 errors seem to be communications between XP clients and windows 2000 and 2003 servers. For example: 0.01 1 172.16.221.166 10.33.1.108 NETBIOS SMB DCERPC NTLMSSP
asn1
overflow attempt {tcp} .166 is a clean virus free XP client, and .108 is a Windows 2003
server.
I am getting literally hundreds of these a second. How can I help in figuring out what this issue is? I can provide any info you need, just tell me what you need me to do.
NTLMSSP is the NTLM secure service provider. If you have an Active Directory domain then this will be happening on a regular basis and its probably nothing to worry about. -Sean Brown --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HELP Rajesh Patwardhan (Aug 20)