[Snort-sigs] netbios rule question

Alex Kirk alex.kirk at ...435...
Wed Dec 1 06:09:09 EST 2004


Given that you're saying these hosts are all internal to your network, 
and that these rules both take the form of:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445

have you checked that your $EXTERNAL_NET and $HOME_NET variables are set 
correctly?

Alex Kirk
Research Analyst
Sourcefire, Inc.

>
> Hi All
> I had a question regarding netbios rules. Lately I have been receiving 
> a lot of the alerts as shown below where A.A.A.A and B.B.B.B are all 
> internal hosts to my network. In addition B.B.B.B is the IP address of 
> our domain controller.  Is this merely false positiive or something i 
> should be concerned about. How do I go abt troubleshooting further to 
> see what exactly is happenig. Any help will be appreciated
>
> Thanks
> Ravi
>
> [**] [1:2466:4] NETBIOS SMB-DS IPC$ share unicode access [**]
> [Classification: Generic Protocol Command Decode] [Priority: 3]
> 11/30-14:05:00.173386 A.A.A.A:1105 -> B.B.B.B:139
> TCP TTL:128 TOS:0x0 ID:22636 IpLen:20 DgmLen:128 DF
> ***AP*** Seq: 0xD1482D9A  Ack: 0x4A54B89D  Win: 0xFFFF  TcpLen: 20
>
> [**] [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode 
> username overflow attempt [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> 11/30-14:05:00.163386  A.A.A.A:1105 -> B.B.B.B:445
> TCP TTL:128 TOS:0x0 ID:22635 IpLen:20 DgmLen:1440 DF
> ***AP*** Seq: 0xD1482822  Ack: 0x4A54B769  Win: 0xFAB7  TcpLen: 20
> [Xref => 
> http://www.eeye.com/html/research/advisories/ad20040226.html][Xref => 
> http://www.securityfocus.com/bid/9752]
>
>
>
>
>
>
>
>
>
>
>
>
> The information transmitted is intended only for the person or entity 
> to which it is addressed and may contain confidential and/or 
> privileged material.  Any review, retransmission, dissemination or 
> other use of, or taking of any action in reliance upon, this 
> information by persons or entities other than the intended recipient 
> is prohibited.   If you received this in error, please contact the 
> sender and delete the material from any computer. 






More information about the Snort-sigs mailing list