[Snort-sigs] netbios rule question

Russell Fulton r.fulton at ...575...
Thu Dec 2 23:42:01 EST 2004


On Wed, 2004-12-01 at 09:10 -0500, Alex Kirk wrote:
> Given that you're saying these hosts are all internal to your network, 
> and that these rules both take the form of:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445
> 
> have you checked that your $EXTERNAL_NET and $HOME_NET variables are set 
> correctly?

Many of us deliberately set $EXTERNAL_NET to any (particularly if you
are a university ;) and yes, this causes problems with some rules.
> 
> Alex Kirk
> Research Analyst
> Sourcefire, Inc.
> 
> >
> > Hi All
> > I had a question regarding netbios rules. Lately I have been receiving 
> > a lot of the alerts as shown below where A.A.A.A and B.B.B.B are all 
> > internal hosts to my network. In addition B.B.B.B is the IP address of 
> > our domain controller.  Is this merely false positiive or something i 
> > should be concerned about. How do I go abt troubleshooting further to 
> > see what exactly is happenig. Any help will be appreciated
> >

IIRC these will occur when samba is used to access resources on windows
servers (this is mentioned in the rule write up on www.snort.org).  If
you have external_net including you local address space and you have
linux systems you will probably be better off disabling these rules.

Russell
-- 
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand





More information about the Snort-sigs mailing list