[Snort-sigs] FP for NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt: sid 2383 -- the real one

OK this one is for real, my apologies for the confusion caused by my
other post with same (but in that case erroneous) subject line.

I am seeing many (over a thousand a day) of these on our internal
network on sessions between well managed machines that I would expect to
be communicating on port 455.   A quick look at the data portion does
not appear malicious (no padding or other evidence of overflow attempt).


00000ACEFF534D427300

0000001807C800004253

525350594C2000000000

FFFE000040000CFF00CE

0A044132000000000000

002D0A00000000D40000

A0930A60820A2906062B

0601050502A0820A1D30

820A19A024302206092A

864882F7120102020609

2A864886F71201020206

0A2B0601040182370202

0AA28209EF048209EB60

8209E706092A864886F7

1201020201006E8209D6

308209D2A003020105A1

0302010EA20703050020

000000A38203DC618203

D8308203D4A003020105

A1161B1441442E45432E

4155434B4C414E442E41

432E4E5AA231302FA003

020102A12830261B0463

6966731B1E45432D544D

4B2D30312E61642E6563

2E6175636B6C616E642E

61632E6E7AA382038030

82037CA003020117A103

02010AA282036E048203

6A2B31F10FD3EF02529F

C110CB91DA01157A25C7

D5BC7973688ED825327D

40AB2BE806AD68BB2994

D1599571B41258F2AA9D

29EE25834FD7F0CD4744

1800D1596BCB2139118B

9B2BC1725D4BD06EED20

9A7593BE3F1A3FDCF416

08D85CAFE6F1A637DB53

932E5E21A40FD3B706CE

18436738508E9B924AE4

186724344D206172A135

A718AD89550898A531C5

25E9358CD007FCF06E66

01E6C5F7A5165B97ECB2

50FCD571256CDEF3D056

BC7396065B6E23201217

E72CEC1870F28AA7994E

C29CC613C5C7B8883F98

39B8EF7450811CB0FE32

7ECEC61113FAEF8AD72B

14FBC8C02D9894E53F2D

528234DFD80BE911D758

248855495B979C69CCDA

A554A13B82550F78DF9D

B749DAC2B9DB4D85BC00

F27F2EC57E35D1104C6A

13FB376F6109B88C8015

11051E0D7E930BBCE9C4

2FA32B3970E39B511FBE

9C1FC55FBEC844E72375

805150A5B24FFDF35D44

C990A75FFF99DDD11558

DCB0C67B1E07EFA0FED8

B00AF17F55EB5D5B2446

97EA60C503722C4DD7F0

0DE2C8C891D82940A80E

7770E0A1022B39E8FDB5

A8CDC1A4B3C0CA2D6C6F

E5C37E1811ED3374F428

5333C9AACD65DBAF35AF

DD7E7B4F11C0D2C1AE83

D0BE0EBDED10D2D00298

BD50878CE85FAB8EBFB2

5F3C99BB08E0EF646891

298BF14BC03B0EA571B8

5915BF76D71CD4C0BA6D

B50C343D7B52F59DDD67

F973A5C8AB39B0440563

EE743B3E0655B098E39E

EC7DA18EAE4B0AFE3EF8

F7F8333AFF2722EF76F4

02D96DB9092A5928A1AE

43C52ABB5E7EA7E72490

2EC31AB4E3D4F873A148

35489A929097B20E664D

D036B35662795E0070CF

722DF9D2F306095BFE2A

3798DE7A5ACF549852DE

344F1477F72D306B6659

A8B0F28D3BC3B8B8F394

7BC4EF73A82006483CBC

88F81F417074DF1961C8

F028FDF3A4C12DD57CB1

294729FEE4CE9834430D

A34370CF973E2C126B7C

8C34E0A0100FDF7BCF0F

D7D6F70B2C72A5B9BBF7

5BFCB893CE1BB894F7BF

193B16170341E8595056

21AE62B8984BBBE8795C

1C4AE4DB29B60C9FBBD6

6C5559ED75C0EEA11418

69A053AADCBE542CA018

85282EE86D6CAC15868B

528F51631F3FE72736FB

61DE294D19C17D3639BE

808827065D2707D97E7C

F721CB54CACE9040860B

8DA74382B66FA13DCF18

6B11B9970F8CD777C48E

994107281D32F35C8269

3ACC1BEC7FEF8D9EA627

1868509D585AE8F216DB

FEA3A2279BBED6120433

80932A66BCA3040D4C1A

186AF44F4EA48205DB30

8205D7A003020117A282

05CE048205CA3AA542B2

73E2B91F211E3B5A56CA

E1368FF814961A2D6733

9F6A1A4D2D1A5C889DFA

DEE3E4FBF8E1BBCA7229

03B4648668605D3F9E69

334EC20752E4F2419CFD

3AA9042ACFDE87E51498

5D96494AF5FD51891D60

0D6CA56D4192354F9CDE

5612240498976D2B8363

616C5BB2643FDB6F6567

BFE7E948685A7C7B55DD

60F6DF3B144009DEFD3F

A19DBF1829200A68E534

64376CC457ECB0434766

AFF05C15469999C7BC8C

FE32C2DA99B3A5838D7F

E5BF4A2DD59368FAE468

FE7F7C2101A1576A84C4

A02432E446799AD5F092

6C3F0C139BC7CA2C1E02

8825D9C8E5D2BFAA2F4C

A3943D178C25BDE99240

84964B3A3886038E9352

38E9F09DB7B1CAFABE1D

3794C92435FA5346E25B

5BC71F815124FDBE2C27



.....SMBs.

........BS

RSPYL ....

....@.....

..A2......

.-........

...`..)..+

.........0

....$0"..*

.H........

*.H.......

.+.....7..

.........`

.....*.H..

......n...

0.........

......... 

.......a..

.0........

....AD.EC.

AUCKLAND.A

C.NZ.10/..

....(0&..c

ifs..EC-TM

K-01.ad.ec

.auckland.

ac.nz....0

..|.......

......n...

j+1.....R.

.......z%.

..ysh..%2}

@.+...h.).

.Y.q..X...

).%.O...GD

...Yk.!9..

.+.r]K.n. 

.u..?.?...

..\....7.S

..^!......

.Cg8P...J.

.g$4M ar.5

....U...1.

%.5.....nf

......[...

P..q%l...V

.s..[n# ..

.,..p....N

........?.

9..tP....2

~........+

....-...?-

R.4......X

$.UI[..i..

.T.;.U.x..

.I....M...

....~5..Lj

..7oa.....

....~.....

/.+9p..Q..

..._..D.#u

.QP..O..]D

..._.....X

...{......

....U.][$F

..`..r,M..

......)@..

wp...+9...

.......-lo

..~...3t.(

S3...e..5.

.~{O......

..........

.P..._....

_<.....dh.

)..K.;..q.

Y..v.....m

..4={R...g

.s...9.D.c

.t;>.U....

.}...K..>.

..3:.'".v.

..m..*Y(..

C.*.^~..$.

.......s.H

5H......fM

.6.Vby^.p.

r-.....[.*

7..zZ.T.R.

4O.w.-0kfY

....;.....

{..s. .H<.

...Apt..a.

.(....-.|.

)G)....4C.

.Cp..>,.k|

.4.....{..

....,r....

[.........

.;...A.YPV

!.b..K..y\

.J..).....

lUY.u.....

i.S...T,..

.(..ml....

R.Qc.?.'6.

a.)M..}69.

..'.]'..~|

.!.T...@..

..C..o.=..

k......w..

.A.(.2.\.i

:........'

.hP.XZ....

...'.....3

..*f....L.

.j.ON....0

..........

......:.B.

s...!.;ZV.

.6.....-g3

.j.M-.\...

........r)

..d.h`]?.i

3N..R..A..

:..*......

].IJ..Q..`

.l.mA.5O..

V.$...m+.c

al[.d?.oeg

...HhZ|{U.

`..;.@...?

....) .h.4

d7l.W..CGf

..\.F.....

.2........

..J-..h..h

..|!..Wj..

.$2.Fy....

l?.....,..

.%....../L

..=..%...@

..K:8....R

8.........

7..$5.SF.[

[...Q$..,'

-- 
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs