[Snort-sigs] netbios rule question

Russell Fulton r.fulton at ...575...
Thu Dec 2 23:42:01 EST 2004

On Wed, 2004-12-01 at 09:10 -0500, Alex Kirk wrote:
> Given that you're saying these hosts are all internal to your network, 
> and that these rules both take the form of:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445
> have you checked that your $EXTERNAL_NET and $HOME_NET variables are set 
> correctly?

Many of us deliberately set $EXTERNAL_NET to any (particularly if you
are a university ;) and yes, this causes problems with some rules.
> Alex Kirk
> Research Analyst
> Sourcefire, Inc.
> >
> > Hi All
> > I had a question regarding netbios rules. Lately I have been receiving 
> > a lot of the alerts as shown below where A.A.A.A and B.B.B.B are all 
> > internal hosts to my network. In addition B.B.B.B is the IP address of 
> > our domain controller.  Is this merely false positiive or something i 
> > should be concerned about. How do I go abt troubleshooting further to 
> > see what exactly is happenig. Any help will be appreciated
> >

IIRC these will occur when samba is used to access resources on windows
servers (this is mentioned in the rule write up on www.snort.org).  If
you have external_net including you local address space and you have
linux systems you will probably be better off disabling these rules.

Russell Fulton, Information Security Officer, The University of Auckland
New Zealand

More information about the Snort-sigs mailing list