Hi all,
I'm running Snort 2.2.0 on Debian. The device is snorting a mixed
Win/Mac/*nix dorm network of several hundred machines. Some machines
are in a domain, but all student (privately owned) machines are not in
the domain.
The rule: (GEN:SID 1:2383)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS
DCERPC NTLMSSP asn1 overflow attempt"; flow:to_server,established;
content:"|FF|SMBs"; depth:5; offset:4; nocase;
byte_test:1,&,8,6,relative; asn1:double_overflow, oversize_length
2048, bitstring_overflow,relative_offset 54; reference:bugtraq,9633;
reference:bugtraq,9635; reference:cve,2003-0818;
reference:nessus,12052; classtype:attempted-admin;
reference:nessus,12065; sid:2383; rev:13;)
...is generating many false positives -- each and every Domain
machine is causing alerts but no non-domain machines are (including
hundreds of student owned and unpatched XP machines). Furthermore,
there are only two destination addresses -- our 2 AD/DNS servers. Our
domain machines are all patched with up to the minute anti-virus and
are reimaged on a regular basis; it is highly unlikely that they are
compromised by this exploit.
Can I do something more to help improve this rule or add false
positive warnings to the description? I have put a pass rule on it for
now.
Thanks,
Peter
--
Peter A. Peterson II, technician and musician.
---=[ http://tastytronic.net/~pedro/ ]=---
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
