Snort mailing list archives

Previous By Date Next
Previous By Thread Next

HELP

From: "Rajesh Patwardhan" <rpatwardhan () intellitactics com>
Date: Fri, 20 Aug 2004 11:15:28 -0600
 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
snort-users-request () lists sourceforge net
Sent: Friday, August 20, 2004 12:07 AM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #4477 - 1 msg

Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Help,  tons of false positive ASN1 overflow attempts. (Sean
Brown)

--__--__--

Message: 1
Date: Thu, 19 Aug 2004 19:22:56 -0600
From: Sean Brown <sblinux () shaw ca>
Subject: Re: [Snort-users] Help,  tons of false positive ASN1 overflow
attempts.
To: snort-users () lists sourceforge net

On August 19, 2004 12:50 pm, Aharon wrote:

Pardon my vague message here.  I am a snort newbie!

I just installed Snort v2.2.0 and the latest signatures inside our 
network here at work.  Anyway,  everything seems to work great,  
except for a vast amount of false positive ASN1 warnings.

I do not want to disable these ASN1 signatures becuase they would be 
very usefull in finding virus infected PC's throughout our network.  
Most ASN1 errors seem to be communications between XP clients and 
windows 2000 and
2003 servers.

For example:
0.01  1       172.16.221.166  10.33.1.108 NETBIOS SMB DCERPC NTLMSSP

asn1

overflow attempt {tcp}

.166 is a clean virus free XP client,  and .108 is a Windows 2003

server.

I am getting literally hundreds of these a second.

How can I help in figuring out what this issue is?  I can provide any 
info you need,  just tell me what you need me to do.


NTLMSSP is the NTLM secure service provider. If you have an Active
Directory domain then this will be happening on a regular basis and its
probably nothing to worry about.

-Sean Brown



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest








-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: