Re: FP for NETBIOS SMB-DS DCERPC NTLMSSP asn1 over: msg#00149 security.ids.snort.sigs

If you could also provide header information and the rule revision it would be more helpful.

Russell Fulton wrote:

I am seeing many (over a thousand a day) of these on our internal
network on sessions between well managed machines that I would expect to
be communicating on port 455. A quick look at the data portion does
not appear malicious (no padding or other evidence of overflow attempt).

DATA (Ascii below)

0000015EFF534D427300

0000001807C800000000

00000000000000000000

FFFE000820000CFF005E

[...]

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

Previous by Date:	Re: reporting false positives...: 00149, Jason
Next by Date:	Re: Colin Slevin/TRANSWARE/IE is out of the office.: 00149, Matt Kettler
Previous by Thread:	FP for NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt: sid 2383i: 00149, Russell Fulton
Next by Thread:	FP for NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt: sid 2383 -- the real one: 00149, Russell Fulton
Indexes:	[Date] [Thread] [Top] [All Lists]

<Prev in Thread]	Current Thread	[Next in Thread>

Re: FP for NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt: sid 2383: msg#00149

security.ids.snort.sigs