So here I sit on yet another run of scheduled maintenance when I figure, hey no time like the present to take care of those few false positives on our internal NIDS. So I've been lazy, the fact is I know the nifty richedit.dll alert is a false positive, and I even know whats causing it, but rather than disable the rule altogether I figured I would do some packet dissection and figure a way to rewrite the rule to ignore our wonderful and sad sad inventory database app.

Anywho, figuring that it's been forever since I've visited AO, and even longer since I've posted I figure I'll bring this up for anyone who might notice the same (heh).

If anyone is out there running Accware or Everest standard from Icode (www.icode.com) be aware that upon opening the application will make a call to Riched20.dll across the network to do whatever it does (havent quite finished looking into it) thus firing Snort SID 1295 "NETBIOS Nimda RICHED20.dll". After poking at it for a little while I figured out that the call is normal on the opening of the client and the alert is definately a false positive. EIther way, I'll post the false positive to the snort team when I clear up the details. And sadly, if any of you are in fact running either one of these Icode products...... I feel your pain.