false positives?

["Jeff Schmidt (CACL Tech Asst)" <schmidje () oplin org>]

Hello,
 I'm receiving a high number of the following alert: " nessusnessus[cve 
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0818>][icat 
<http://icat.nist.gov/icat.cfm?cvename=2003-0818>][bugtraq 
<http://www.securityfocus.com/bid/9635>][bugtraq 
<http://www.securityfocus.com/bid/9633>][snort 
<http://www.snort.org/snort-db/sid.html?sid=2383>] NETBIOS SMB-DS DCERPC 
NTLMSSP asn1 overflow attempt"

From the alert description, it would appear to be a virus or worm of 
some sort that is attempting to infect our Active Directory server. 
However, we have up-to-date virus protection (Symantec A/V 9 with 
up-to-date virus defs) on all our workstations, and a scan of any of the 
workstations does not report any threats detected. So, I'm wondering if 
this alert is possibly a false positive that is just detecting normal 
windows network activity between our workstations and our domain server? 
I should note that the destination address of these alerts is *always* 
the AD server and never any other machine. Is it safe to turn off this 
detection rule?

Also, I'm getting another alert that appears that it might be related: 
"NETBIOS SMB-DS IPC$ share unicode access."  Again, is this just snort 
detecting completely normal traffic?

Jeff Schmidt





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users