Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: [Snort-sigs] 2383 FP " NETBIOS SMB-DS DCERPC NTLMSSP asn1 overfl

from [sekure] Network Security [Permanent Link]
Subject: Re: Re: [Snort-sigs] 2383 FP " NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt"
Date: Wed, 25 Aug 2004 11:59:22 -0400 
I understand that my report is pretty useless without corraborating
information, but in the interest of security I chose not to distribute
the pcaps to the list, since they contain my IPs and other identifying
information.  I did say that I'll be more than happy to provide the
pcaps to the snort team, but I didn't want to just fire off the email
to you guys (snort/sourcefire), and bypass the list.  I'll send the
pcap to you directly.

I believe it's a false positive because it does not look like an
attack.  It's coming from a desktop, directed to a server (actually
two different servers), but the timing is not consistent with an
attack, rather with normal MS communication.  It's all some fuzzy
logic in my head, call it my gut feeling, but I am pretty sure it's
not an attack, and therefore a False Positive.

On Wed, 25 Aug 2004 11:52:43 -0400, Alex Kirk <alex.kirk@sourcefire.com> wrote:

Generally speaking, it's nice if you can provide details with a false
positive report -- like why you think it's a false positive, what (if
anything) you suspect may be causing it, and pcaps if appropriate. We're
more than happy to investigate these things, but just saying there's a
false positive associated with a rule gives us nowhere to even begin.

BTW, please send whatever details you may have to the list, so that more
eyes can be looking at them.

Alex Kirk
Research Analyst
Sourcefire, Inc.




I am using the newest 2.2 ruleset (as of yesterday) and seeing a fair
number of false positives on sid 2383 "NETBIOS SMB-DS DCERPC NTLMSSP
asn1 overflow attempt"

Anyone else?

I can provide pcaps to the snort/sourcefire team if need be.



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] 2383 FP " NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt", Alex Kirk
Next by Date:  Re: [Snort-sigs] 2383 FP " NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt", Alex Kirk
Previous by Thread:  Re: [Snort-sigs] 2383 FP " NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt", Alex Kirk
Next by Thread:  Re: [Snort-sigs] 2383 FP " NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt", Alex Kirk
Indexes:  [Date] [Thread] [Top] [All Lists]