[Snort-sigs] ISystemActivator Call_id 127 to port 1025 vs sid:2192 (port 139) ?

Lee Clemens snort at ...3020...
Tue Mar 8 21:49:35 EST 2005


I have been having difficulty with the NETBIOS SMB DCERPC ISystemActivator
bind attempt rule with sid:2192 (false negatives?).

I have noticed a large amount of traffic that seems extremely similar to
that which would trigger this rule (NETBIOS sid:2192), except that it is
destined for port 1025 instead of 139 (Win2K3). 

The 'attacks' are always from foreign machines I have no intention of
dealing with, and the most common attempt is DCERPC Bind: call_id: 127 UUID:
ISystemActivator, with a response from my DMZ machine of Provider rejection,
reason: Abstract syntax not supported.

I would greatly appreciate it if anyone could shed some light on the
difference between these Bind requests and those destined for port 139
(which the rule is designed for). I can only assume the packets I am seeing
are malicious in nature. (I usually get scanned by the same IP before or
shortly after the rejection of the bind request.)

I have made my own simple rule to log traffic $EXTERNAL_NET any -> $HOME_NET
1025 so that I can monitor this activity, but I am wondering why there is no
rule including port 1025 (Should I add port 1025 to the ISystemActivator
rules with port 139?).

I have included the packet bytes (call_id 127 UUID: ISystemActivator) minus
the layer 2 and 3 headers below.

0000  -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --   ----------------
0010  -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --   ----------------
0020  -- -- 09 48 04 01 9f 68 4b 99 6c dc dc 82 50 18   --.H...hK.l...P.
0030  fa f0 7e 1f 00 00 05 00 0b 03 10 00 00 00 48 00   ..~...........H.
0040  00 00 7f 00 00 00 d0 16 d0 16 00 00 00 00 01 00   ................
0050  00 00 01 00 01 00 a0 01 00 00 00 00 00 00 c0 00   ................
0060  00 00 00 00 00 46 00 00 00 00 04 5d 88 8a eb 1c   .....F.....]....
0070  c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00         ......+.H`....


Thanks for any help you can offer. Let me know if you need more information
in describing these events as well.

--Lee
snort at ...3020...






More information about the Snort-sigs mailing list