[Oisf-users] Alerts about MS08-067

C. L. Martinez carlopmart at gmail.com
Tue Nov 5 11:42:53 UTC 2013

Hi all,

 From time to time my suricata sensors (all of them using release
1.4.6) trigger alerts about MS08-06 vulnerability in my servers and/or
workstations (ten or fifteen times a day).

 I run the following nmap script
http://nmap.org/nsedoc/scripts/smb-check-vulns.html to check this
vulnerability, and result is not vulnerable. For example:

root at debian01:/tmp# nmap --script smb-check-vulns.nse -p445

Starting Nmap 6.00 ( http://nmap.org ) at 2013-11-05 11:38 UTC
Nmap scan report for mytest.server.local (
Host is up (0.00049s latency).
445/tcp open  microsoft-ds

Host script results:
| smb-check-vulns:
|   Conficker: Likely CLEAN
|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add
'--script-args=unsafe=1' to run)
|   MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_  MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

Then, why this alert is triggered?? Any idea??


More information about the Oisf-users mailing list