[Snort-sigs] FP on "NETBIOS DCERPC Remote Activation bind attempt"

[Boy, nothing like an upgrade to bring out the reports! ;-)]

I'm getting quite a few FPs on "NETBIOS DCERPC Remote Activation bind attempt" - SID: 2251

It's only triggering on an old NT4 server of ours - probably quite unpatched for some time. The clients will be Win2K or WinXP. So far we've had four different clients trigger this alert - all to the same host.

The details about 2251 seem quite adamant that this rule doesn't have FPs, but I think otherwise.

This is under Snort-2.1.1.

Here's the packet as shown within ACID

length = 72

000 : 05 00 0B 03 10 00 00 00 48 00 00 00 03 00 00 00   ........H.......
010 : D0 16 D0 16 EF EA 00 00 01 00 00 00 02 00 01 00   ................
020 : B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57   .J.M.}..... .n|W
030 : 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00   .....]..........
040 : 2B 10 48 60 02 00 00 00                           +.H....

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.
http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs