[Snort-sigs] FP on three SMB umpnpmgr rules!!

Jason Haar Jason.Haar at ...651...
Fri Dec 2 16:11:00 EST 2005


I just triggered this myself. It generated over 50 alerts on three
different  umpnpmgr rules

NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList unicode little endian attempt
NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList unicode attempt
NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize unicode little endian attempt

I had connected (as Administrator) from a Win2K3 Domain Controller to a
remote Win2K laptop in order to restart some service - not exactly a
strange thing to do...

example packet dump of event follows:

 

000 : 00 00 00 98 FF 53 4D 42 25 00 00 00 00 18 07 C8   .....SMB%.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 08 A4 07   ................
020 : 00 08 31 AA 10 00 00 44 00 00 00 00 04 00 00 00   ..1....D........
030 : 00 00 00 00 00 00 00 00 00 54 00 44 00 54 00 02   .........T.D.T..
040 : 00 26 00 07 C0 55 00 00 5C 00 50 00 49 00 50 00   .&...U..\.P.I.P.
050 : 45 00 5C 00 00 00 00 00 05 00 00 03 10 00 00 00   E.\.............
060 : 44 00 00 00 03 00 00 00 2C 00 00 00 00 00 0B 00   D.......,.......
070 : 00 00 02 00 0B 00 00 00 00 00 00 00 0B 00 00 00   ................
080 : 53 00 41 00 56 00 53 00 65 00 72 00 76 00 69 00   S.A.V.S.e.r.v.i.
090 : 63 00 65 00 00 00 00 00 02 00 00 00               c.e.........

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-sigs mailing list