[Snort-sigs] FPs with "NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"

Jason Haar Jason.Haar at ...651...
Mon Feb 28 14:15:58 EST 2005


[This is for Snort-2.3.0]

I don't know how old that rule is, but it's just started triggering over 
the past 4 days on our network - and I don't think something's 
exploiting it.

We've had Workstations-to-server hits as well as server-to-server hits - 
typically from WinXP and Win2003 - typically patched - certainly 
smothered with extra large helpings of AV that aren't detecting anything.

The packets captured by snort (viewed via ACID) don't show anything obvious.

Here's some samples

 length = 143

000 : 00 00 00 23 FF 53 4D 42 32 34 00 00 C0 98 07 C8   ...#.SMB24......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 05 08 AC 0B   ................
020 : 01 08 83 DF 00 00 00 00 00 00 64 FF 53 4D 42 32   ..........d.SMB2
030 : 00 00 00 00 98 07 C8 00 00 00 00 00 00 00 00 00   ................
040 : 00 00 00 05 08 54 0E 01 08 C2 DF 0A 02 00 28 00   .....T........(.
050 : 00 00 02 00 38 00 00 00 28 00 3C 00 00 00 00 00   ....8...(.<.....
060 : 2D 00 00 00 00 00 01 59 3A 7A C9 1C 52 C4 01 5B   -......Y:z..R..[
070 : 84 0C 97 DB 1D C5 01 93 B2 4E FC 1C 52 C4 01 C1   .........N..R...
080 : 27 01 A1 15 1C C5 01 10 00 00 00 00 00 00 00      '..............


 length = 423

000 : 00 00 00 23 FF 53 4D 42 32 33 00 00 C0 98 07 C8   ...#.SMB23......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 03 10 04 00   ................
020 : 03 18 C2 0C 00 00 00 00 00 01 7C FF 53 4D 42 32   ..........|.SMB2
030 : 00 00 00 00 98 07 C8 00 00 00 00 00 00 00 00 00   ................
040 : 00 00 00 03 10 80 0C 03 18 00 0D 0A 0A 00 38 01   ..............8.
050 : 00 00 0A 00 38 00 00 00 38 01 44 00 00 00 00 00   ....8...8.D.....
060 : 45 01 00 00 10 03 00 01 00 00 00 C8 00 00 00 60   E..............`
070 : 00 00 00 00 00 00 00 FE 32 9F BD CA 1C C4 01 68   ........2......h
080 : 00 C6 3B 9F 1A C5 01 F6 06 FA E9 57 C7 C4 01 72   ..;........W...r
090 : 00 65 82 CD 16 C5 01 00 00 00 00 00 00 00 00 00   .e..............
0a0 : 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 00   ................
0b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 2E 00 68   ...............h
0d0 : 00 00 00 00 00 00 00 FE 32 9F BD CA 1C C4 01 68   ........2......h
0e0 : 00 C6 3B 9F 1A C5 01 F6 06 FA E9 57 C7 C4 01 72   ..;........W...r
0f0 : 00 65 82 CD 16 C5 01 00 00 00 00 00 00 00 00 00   .e..............
100 : 00 00 00 00 00 00 00 10 00 00 00 04 00 00 00 00   ................
110 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
120 : 00 00 00 00 00 00 00 00 00 00 00 00 00 2E 00 2E   ................
130 : 00 E3 FE E3 FE D1 FE 00 00 00 00 00 00 00 00 B6   ................
140 : 7C 46 AF 37 C7 C4 01 08 D0 8B 4E 9F 1A C5 01 4D   |F.7......N....M
150 : E9 8E 16 B7 C2 C4 01 28 D4 C0 3E 9F 1A C5 01 B3   .......(..>.....
160 : F3 61 02 00 00 00 00 00 00 62 02 00 00 00 00 80   .a.......b......
170 : 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00   ................
180 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
190 : 00 00 00 00 00 75 00 73 00 65 00 72 00 2E 00 65   .....u.s.e.r...e
1a0 : 00 78 00 65 00 23 02                              .x.e.#.


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-sigs mailing list