[Snort-sigs] SID 2404, NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt

Lance Boon lboon at ...2573...
Wed Jun 23 08:01:04 EDT 2004


I've got a question on SID 2404 NETBIOS SMB-DS Session Setup AndX
request unicode username overflow attempt. According to the Snort
Signature Database it says that "This event is generated when an attempt
is made to exploit a known vulnerability in ISS RealSecure and BlackICE
products." Why would this be alerting on traffic from a Windows 2003
Server to a Windows XP Pro workstation, both patched to the latest
service packs and hot fixes? I also have this alert triggering on
traffic from Windows 2003 to Windows 2000 Pro machines as well. I don't
have ISS RealSecure or BlackICE running on any of these systems.

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS
Session Setup AndX request unicode username overflow attempt";
flow:to_server,established; content:"|00 00|"; distance:0; content:"|00
00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2;
content:"|FF|SMBs"; depth:5; offset:4; nocase;
byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little;
content:"|00|"; distance:56; content:"|00 00|"; distance:255;
content:"|00 00|"; distance:0; reference:bugtraq,9752;
reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html;
classtype:attempted-admin; sid:2404; rev:5;)






More information about the Snort-sigs mailing list