masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules

[Jason Haar <Jason.Haar () trimble co nz>]

Hi there

A couple of days ago, we rolled out the current Registered User 2.9.0.2
rules, and we're triggering a range of DLL-related NETBIOS rules, on
normal file transfers, Office installs (I think) and backups.

eg

NETBIOS pptimpconv.dll access
NETBIOS Windows Address Book smmscrpt.dll malicious DLL load
NETBIOS Windows Address Book wab32res.dll malicious DLL load
NETBIOS Windows Address Book msoeres32.dll malicious DLL load
NETBIOS Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt
WEB-CLIENT Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt


As these rules are all "metadata: engine shared", I can't tell what's
going on, but the packet capture seems to show the associated filenames,
so are these rules simply triggering whenever these files are seen? If
so, they are going to generate a mess of FPs for lots of people...


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users