[Snort-sigs] Is correct this alert? "NETBIOS SMB IPC$ share unicode access"

lee Jerry linger_on at ...12...
Tue Jun 1 23:59:06 EDT 2004


Snort version: 2.11 
Snor rule date: 05/10/2004 
OS: Winodws 2K 

I found several strange alerts. 
-------------------------- 
05/10-20:27:03.189495 [**] [1:538:8] NETBIOS SMB IPC$ share unicode access 
[**] 
[Classification: Generic Protocol Command Decode] [Priority: 3] 
{ICMP} 64.124.11.138 -> 192.168.93.6 
-------------------------- 
I think that this alert is incorrect.

This alert shows that there were NETBIOS share accesses 
and the packet corresponding to the alert is ICMP packet.

I think that the protocol don't match the alert message. 
If the message really is "NETBIOS SMP IPC$...", the protocol must be "TCP". 

Don't you think so?

But the actual packet corresponding to the alert is 
"ICMP Destination Unreachable (Host unreachable)." 

The actual packet don't trigger "NETBIOS SMB IPC$ share unicode access"
The actual packet is only the ICMP packet that respond to a previous 
packet.
I guess that the previous packet is "NETBIOS SMB IPC$ share unicode access"

How can be this alert occured?
What's the problem?
 
Otherwise, do I think understand the snort rule wrongly? 
I'm poor at English. sorry. 
Thanx. 

the below information is about the raw packet 
------ using ethereal ------------------------ 
*Internet Protocol, Src Addr: 64.124.11.138 (64.124.11.138), Dst Addr: 
192.168.93.6 (192.168.93.6) 
*Internet Control Message Protocol 
Type: 3 (Destination unreachable) 
Code: 1 (Host unreachable) 
Checksum: 0x5d5d (correct) 
Internet Protocol, Src Addr: 192.168.93.6 (192.168.93.6), Dst Addr: 
16.121.143.254 (16.121.143.254) 
Version: 4 
Header length: 20 bytes 
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 
0000 00.. = Differentiated Services Codepoint: Default (0x00) 
.... ..0. = ECN-Capable Transport (ECT): 0 
.... ...0 = ECN-CE: 0 
Total Length: 48 
Identification: 0x05d0 (1488) 
Flags: 0x00 
.0.. = Don't fragment: Not set 
..0. = More fragments: Not set 
Fragment offset: 0 
Time to live: 118 
Protocol: TCP (0x06) 
Header checksum: 0x7fd2 (incorrect, should be 0x80d2) 
Source: 192.168.93.6 (192.168.93.6) 
Destination: 16.121.143.254 (16.121.143.254) 
Transmission Control Protocol, Src Port: 2271 (2271), Dst Port: 2745 (2745) 

Source port: 2271 (2271) 
Destination port: 2745 (2745) 
0000 00 0c 29 24 05 54 00 50 56 c0 00 01 08 00 45 00 ..)$.T.PV.....E. 
0010 00 38 34 6b 00 00 32 01 ea a5 40 7c 0b 8a c0 a8 .84k..2...@|.... 
0020 5d 06 03 01 5d 5d 00 00 00 00 45 00 00 30 05 d0 ]...]]....E..0.. 
0030 00 00 76 06 7f d2 c0 a8 5d 06 10 79 8f fe 08 df ..v.....]..y.... 
0040 0a b9 af d9 dd 2f ...../ 
-------------------------------------------------

_________________________________________________________________
고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브   
http://www.msn.co.kr/love/  





More information about the Snort-sigs mailing list