[Snort-devel] Repost of previous msg

Martin Roesch roesch at ...48...
Sat Jan 13 02:40:39 EST 2001


Is smbclient in your system path?  It needs to be there and accessable
for the data to be sent.  Additionally, is there a system on the net
with TEST as its NetBIOS name?

     -Marty

Jarmo Järvenpää wrote:
> 
> Hi
> 
> - Snort version 1.7
> 
> Can you check if there's a bug with SMB sending code?
> 
> - I tried to telnet to 10.1.1.1 to port 6939 (from 10.1.0.1)
> 
> This is generated with debugging and is displayed on screen with
> smbclient.
> --------------------
> Triggering responses (nil)
>         <!!> Generating alert! "IDS89 - BACKDOOR ATTEMPT-Indoctrination"
> Generating SMB alert!
> Sending WinPopup alert to: TEST
> Command Line: echo "SNORT ALERT - Possible Network Attack or Probe:
>  [**] IDS89 - BACKDOOR ATTEMPT-Indoctrination [**]
> 01/11-12:45:52.429704  10.1.1.1:1070->10.1.1.1:6939" | smbclient -U
> Snort -M TEST
>    => Finishing alert packet!
> Directory Created!
> Opening file: /var/log/snort/10.1.0.1/TCP:6939-1070
> Fi
> --------------------
> 
> This is part from logfile, which is correct
> --------------------
> [**] IDS89 - BACKDOOR ATTEMPT-Indoctrination [**]
> 01/11-12:27:14.331324 10.1.0.1:1065 -> 10.1.1.1:6939
> TCP TTL:57 TOS:0x10 ID:1060 IpLen:20 DgmLen:60 DF
> ******S* Seq: 0x11E8EB54  Ack: 0x0  Win: 0x7D78  TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 1479397536 0 NOP WS: 0
> --------------------
> 
> Regards, Jarmo
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list