[Snort-sigs] need one help...

Alex Kirk alex.kirk at ...435...
Mon Dec 6 07:16:03 EST 2004


Pravin,

Generally, if you're looking for help analyzing a sequence of alerts, 
you'll want to ask specific questions about them -- like what they might 
signify, whether they're false positives, whether you should be 
concerned. You're likely to get a much better response by asking 
specific questions than by just saying "help me with this."

That being noted, there's a couple of things I can tell you off the top 
of my head that might help out. First off, are you using a current 
version of Snort, and more importantly, a current rule pack? The current 
alert string for this is "NETBIOS SMB IPC$ unicode share access".

Second, is 210.210.x.x actually external to your network, or are these 
just hosts on a different segment of the network (i.e. at a different 
campus on a university network)? If both 210.210.x.x and 202.144.x.x are 
internal to your network, you need to properly set $HOME_NET and 
$EXTERNAL_NET.

Finally, keep in mind that these are most likely relatively low-priority 
alerts. All this signifies is that the default Windows share of IPC$ is 
being accessed via an SMB client of some sort (either another Windows 
box, Samba, or something along those lines); this can happen all the 
time on networks with a decent number of Windows machines. Of course, it 
can be a bad thing if you're not trying to share files across the 
network, if you've got no Windows boxes, etc., but chances are it's not 
an issue.

If this doesn't answer your questions and/or you need more information, 
please respond with detailed questions and information relevant to the 
question.

Alex Kirk
Research Analyst
Sourcefire, Inc.

> Hi all,
>  
> Can any body help to analyse the below logs.
>  
>  
> #0-(1-35184) 
> <https://ids.maa.sify.net/acid/acid_qry_alert.php?submit=%230-%281-35184%29> 
>       NETBIOS SMB IPC$ unicode share access       2004-12-04 16:07:23 
>       210.210.XX.XX 
> <https://ids.maa.sify.net/acid/acid_stat_ipaddr.php?ip=210.210.123.201&netmask=32>:1213       
> 202.144.XX.XX:139       TCP
> #1-(1-35192) 
> <https://ids.maa.sify.net/acid/acid_qry_alert.php?submit=%231-%281-35192%29> 
>       NETBIOS SMB IPC$ unicode share access       2004-12-04 
> 16:07:24       210.210.XX.XX 
> <https://ids.maa.sify.net/acid/acid_stat_ipaddr.php?ip=210.210.123.201&netmask=32>:1217       
> 202.144.XX.XX:139       TCP
> #2-(1-35198) 
> <https://ids.maa.sify.net/acid/acid_qry_alert.php?submit=%232-%281-35198%29> 
>       NETBIOS SMB IPC$ unicode share access       2004-12-04 
> 16:07:25       210.210.XX.XX 
> <https://ids.maa.sify.net/acid/acid_stat_ipaddr.php?ip=210.210.123.201&netmask=32>:1223       
> 202.144.XX.XX:139       TCP  
> #3-(1-35206) 
> <https://ids.maa.sify.net/acid/acid_qry_alert.php?submit=%233-%281-35206%29> 
>       NETBIOS SMB IPC$ unicode share access       2004-12-04 
> 16:07:27       210.210.XX.XX 
> <https://ids.maa.sify.net/acid/acid_stat_ipaddr.php?ip=210.210.123.201&netmask=32>:1230       
> 202.144.XX.XX:139       TCP  
> #4-(1-35213) 
> <https://ids.maa.sify.net/acid/acid_qry_alert.php?submit=%234-%281-35213%29> 
>       NETBIOS SMB IPC$ unicode share access       2004-12-04 
> 16:07:30       210.210.XX.XX 
> <https://ids.maa.sify.net/acid/acid_stat_ipaddr.php?ip=210.210.123.201&netmask=32>:1237       
> 202.144.XX.XX:139       TCP  
> #5-(1-35219) 
> <https://ids.maa.sify.net/acid/acid_qry_alert.php?submit=%235-%281-35219%29> 
>       NETBIOS SMB IPC$ unicode share access       2004-12-04 
> 16:07:31       210.210.XX.XX 
> <https://ids.maa.sify.net/acid/acid_stat_ipaddr.php?ip=210.210.123.201&netmask=32>:1243 
>       202.144.XX.XX:139       TCP     
>  
>  
> Thanks in Advance.
>     
> Rgds,
> Pravin
>
> 
>
>  






More information about the Snort-sigs mailing list