[Snort-sigs] Is correct this alert? "NETBIOS SMB IPC$ share unicode access"

lee Jerry linger_on at ...12...
Wed Jun 2 19:12:01 EDT 2004


Thanks.

I want to know what concretely is the bug.
Is the bug  applied to snort v 2.1.1?
I didn't found an available information.
Where can I get the information related to the bug?



>From: Matthew Watchinski <mwatchinski at ...435...>
>To: lee Jerry <linger_on at ...12...>
>Subject: Re: [Snort-sigs] Is correct this alert? "NETBIOS SMB IPC$ share 
unicode access"
>Date: Wed, 02 Jun 2004 10:14:49 -0400
>
>Update snort to 2.1.2 or 2.1.3RC1, this is a known output plugin bug that 
is
>fixed in later releases.
>
>-matt
>
>lee Jerry wrote:
> > Snort version: 2.11 Snor rule date: 05/10/2004 OS: Winodws 2K
> > I found several strange alerts. --------------------------
> > 05/10-20:27:03.189495 [**] [1:538:8] NETBIOS SMB IPC$ share unicode
> > access [**] [Classification: Generic Protocol Command Decode] 
[Priority:
> > 3] {ICMP} 64.124.11.138 -> 192.168.93.6 -------------------------- I
> > think that this alert is incorrect.
> >
> > This alert shows that there were NETBIOS share accesses and the packet
> > corresponding to the alert is ICMP packet.
> >
> > I think that the protocol don't match the alert message. If the message
> > really is "NETBIOS SMP IPC$...", the protocol must be "TCP".
> > Don't you think so?
> >
> > But the actual packet corresponding to the alert is "ICMP Destination
> > Unreachable (Host unreachable)."
> > The actual packet don't trigger "NETBIOS SMB IPC$ share unicode access"
> > The actual packet is only the ICMP packet that respond to a previous
> > packet.
> > I guess that the previous packet is "NETBIOS SMB IPC$ share unicode 
access"
> >
> > How can be this alert occured?
> > What's the problem?
> >
> > Otherwise, do I think understand the snort rule wrongly? I'm poor at
> > English. sorry. Thanx.
> > the below information is about the raw packet ------ using ethereal
> > ------------------------ *Internet Protocol, Src Addr: 64.124.11.138
> > (64.124.11.138), Dst Addr: 192.168.93.6 (192.168.93.6) *Internet 
Control
> > Message Protocol Type: 3 (Destination unreachable) Code: 1 (Host
> > unreachable) Checksum: 0x5d5d (correct) Internet Protocol, Src Addr:
> > 192.168.93.6 (192.168.93.6), Dst Addr: 16.121.143.254 (16.121.143.254)
> > Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00
> > (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services
> > Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0
> > .... ...0 = ECN-CE: 0 Total Length: 48 Identification: 0x05d0 (1488)
> > Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not
> > set Fragment offset: 0 Time to live: 118 Protocol: TCP (0x06) Header
> > checksum: 0x7fd2 (incorrect, should be 0x80d2) Source: 192.168.93.6
> > (192.168.93.6) Destination: 16.121.143.254 (16.121.143.254) 
Transmission
> > Control Protocol, Src Port: 2271 (2271), Dst Port: 2745 (2745)
> > Source port: 2271 (2271) Destination port: 2745 (2745) 0000 00 0c 29 24
> > 05 54 00 50 56 c0 00 01 08 00 45 00 ..)$.T.PV.....E. 0010 00 38 34 6b 
00
> > 00 32 01 ea a5 40 7c 0b 8a c0 a8 .84k..2...@|.... 0020 5d 06 03 01 5d 
5d
> > 00 00 00 00 45 00 00 30 05 d0 ]...]]....E..0.. 0030 00 00 76 06 7f d2 
c0
> > a8 5d 06 10 79 8f fe 08 df ..v.....]..y.... 0040 0a b9 af d9 dd 2f
> > ...../ -------------------------------------------------
> >
> > _________________________________________________________________
> > 고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브
> > http://www.msn.co.kr/love/
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by the new InstallShield X.
> >  From Windows to Linux, servers to mobile, InstallShield X is the one
> > installation-authoring solution that does it all. Learn more and
> > evaluate today! http://www.installshield.com/Dev2Dev/0504
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>

_________________________________________________________________
고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브   
http://www.msn.co.kr/love/  





More information about the Snort-sigs mailing list