[Snort-devel] Repost of previous msg

Jarmo Järvenpää Jarmo.Jarvenpaa at ...200...
Sat Jan 13 05:22:58 EST 2001


Hmm, I need to be more specific - I _will_ receive the popup message on
my NT workstation, but the information in the popup is incorrect.

And to be more specific, the destination ip is the same than the
originating ip, even though it's originated from somewhere else.

And if I look to logfiles created by snort, it's correct there. So only
the popup is incorrect.

Regards,

Jarmo
Martin Roesch wrote:
> 
> Is smbclient in your system path?  It needs to be there and accessable
> for the data to be sent.  Additionally, is there a system on the net
> with TEST as its NetBIOS name?
> 
>      -Marty
> 
> Jarmo Järvenpää wrote:
> >
> > Hi
> >
> > - Snort version 1.7
> >
> > Can you check if there's a bug with SMB sending code?
> >
> > - I tried to telnet to 10.1.1.1 to port 6939 (from 10.1.0.1)
> >
> > This is generated with debugging and is displayed on screen with
> > smbclient.
> > --------------------
> > Triggering responses (nil)
> >         <!!> Generating alert! "IDS89 - BACKDOOR ATTEMPT-Indoctrination"
> > Generating SMB alert!
> > Sending WinPopup alert to: TEST
> > Command Line: echo "SNORT ALERT - Possible Network Attack or Probe:
> >  [**] IDS89 - BACKDOOR ATTEMPT-Indoctrination [**]
> > 01/11-12:45:52.429704  10.1.1.1:1070->10.1.1.1:6939" | smbclient -U
> > Snort -M TEST
> >    => Finishing alert packet!
> > Directory Created!
> > Opening file: /var/log/snort/10.1.0.1/TCP:6939-1070
> > Fi
> > --------------------
> >
> > This is part from logfile, which is correct
> > --------------------
> > [**] IDS89 - BACKDOOR ATTEMPT-Indoctrination [**]
> > 01/11-12:27:14.331324 10.1.0.1:1065 -> 10.1.1.1:6939
> > TCP TTL:57 TOS:0x10 ID:1060 IpLen:20 DgmLen:60 DF
> > ******S* Seq: 0x11E8EB54  Ack: 0x0  Win: 0x7D78  TcpLen: 40
> > TCP Options (5) => MSS: 1460 SackOK TS: 1479397536 0 NOP WS: 0
> > --------------------
> >
> > Regards, Jarmo
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-devel
> 
> --
> Martin Roesch
> roesch at ...48...
> http://www.snort.org




More information about the Snort-devel mailing list