[Snort-sigs] false positve for SID 2404 and SID 2466

Stefan Sabolowitsch Stefan.Sabolowitsch at ...2683...
Tue Aug 3 09:22:26 EDT 2004


Hi List / NG

I have an amount of alarm reports with SID 2404(NETBIOS SMB Data Service
Session Setup AndX request unicode username overflow attempt)  and SID
2466(NETBIOS SMB-DS IPC$ share unicode access).
Why would this be alerting on traffic from a Windows XP Prof with MS MSSQL
Enterprise Manager to a Windows XP Pro workstation
with MS MSSQL Database. The MSSQL Enterprise Manager use C$ for
communication.

What can I do so that I do not get this report anymore

Thanks for any aid / Tipps

Stefan


Info:
var EXTERNAL_NET any

Look here:
NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt:

 length = 338

000 : 00 00 01 4E FF 53 4D 42 73 00 00 00 00 18 07 C8   ...N.SMBs.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE   ................
020 : 00 08 20 00 0C FF 00 4E 01 04 11 0A 00 00 00 00   .. ....N........
030 : 00 00 00 AC 00 00 00 00 00 D4 00 00 A0 13 01 4E   ...............N
040 : 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 6C   TLMSSP.........l
050 : 00 00 00 18 00 18 00 84 00 00 00 0E 00 0E 00 40   ...............@
060 : 00 00 00 12 00 12 00 4E 00 00 00 0C 00 0C 00 60   .......N.......`
070 : 00 00 00 10 00 10 00 9C 00 00 00 15 82 88 E0 46   ...............F
080 : 00 45 00 4C 00 54 00 45 00 4E 00 31 00 52 00 75   .E.L.T.E.N.1.R.u
090 : 00 65 00 64 00 69 00 67 00 65 00 72 00 47 00 44   .e.d.i.g.e.r.G.D
0a0 : 00 41 00 30 00 34 00 38 00 4C 00 94 9A EE 95 CF   .A.0.4.8.L......
0b0 : E3 74 71 00 00 00 00 00 00 00 00 00 00 00 00 00   .tq.............
0c0 : 00 00 00 AA 1B 5C 9D 03 B1 01 2B 91 1B DD 13 02   .....\....+.....
0d0 : 48 D6 0B 33 F7 72 FE 85 7B 45 C6 C7 08 D6 EB 6C   H..3.r..{E.....l
0e0 : D8 CB D0 AB 37 96 18 B4 8C 80 ED 00 57 00 69 00   ....7.......W.i.
0f0 : 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00   n.d.o.w.s. .2.0.
100 : 30 00 32 00 20 00 32 00 36 00 30 00 30 00 20 00   0.2. .2.6.0.0. .
110 : 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 00   S.e.r.v.i.c.e. .
120 : 50 00 61 00 63 00 6B 00 20 00 31 00 00 00 57 00   P.a.c.k. .1...W.
130 : 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00   i.n.d.o.w.s. .2.
140 : 30 00 30 00 32 00 20 00 35 00 2E 00 31 00 00 00   0.0.2. .5...1...
150 : 00 00                                             ..


and
NETBIOS SMB-DS IPC$ share unicode access:

length = 82

000 : 00 00 00 4E FF 53 4D 42 75 00 00 00 00 18 07 C8   ...N.SMBu.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE   ................
020 : 00 08 30 00 04 FF 00 4E 00 08 00 01 00 23 00 00   ..0....N.....#..
030 : 5C 00 5C 00 42 00 41 00 54 00 43 00 48 00 32 00   \.\.B.A.T.C.H.2.
040 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F   \.I.P.C.$...????
050 : 3F 00   





More information about the Snort-sigs mailing list