[Snort-devel] SMB bug?

Jarmo Järvenpää jarmo.jarvenpaa at ...200...
Thu Jan 11 06:05:23 EST 2001


Hi

Can you check if there's a bug with SMB sending code?

- I tried to telnet to 10.1.1.1 to port 6939 (from 10.1.0.1)


This is generated with debugging and is displayed on screen with
smbclient.
--------------------
Triggering responses (nil)
        <!!> Generating alert! "IDS89 - BACKDOOR ATTEMPT-Indoctrination"
Generating SMB alert!
Sending WinPopup alert to: TEST
Command Line: echo "SNORT ALERT - Possible Network Attack or Probe:
 [**] IDS89 - BACKDOOR ATTEMPT-Indoctrination [**]
01/11-12:45:52.429704  10.1.1.1:1070->10.1.1.1:6939" | smbclient -U
Snort -M TEST
   => Finishing alert packet!
Directory Created!
Opening file: /var/log/snort/10.1.0.1/TCP:6939-1070
Fi
--------------------


This is part from logfile, which is correct
--------------------
[**] IDS89 - BACKDOOR ATTEMPT-Indoctrination [**]
01/11-12:27:14.331324 10.1.0.1:1065 -> 10.1.1.1:6939
TCP TTL:57 TOS:0x10 ID:1060 IpLen:20 DgmLen:60 DF
******S* Seq: 0x11E8EB54  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 1479397536 0 NOP WS: 0 
--------------------


Regards, Jarmo




More information about the Snort-devel mailing list