[Snort-sigs] FPs on AddPrinterEx unicode little endian overflow attempt, Sig ID, 4485

Russell Fulton r.fulton at ...575...
Tue Jun 6 21:34:04 EDT 2006


I'm seeing quite a few of these on our internal network.

Russell

META
--------
SID	CID	TimeStamp		Signature
1	4662297	2006-06-05 09:57:04	NETBIOS SMB-DS spoolss AddPrinterEx
unicode little endian overflow attempt
Sig ID
4485

Sensor Hostname				Sensor Interface
monitor-itss.insec.auckland.ac.nz	ITSS sector switch

IP
--------
Source Address	Dest Address	Ver	Hdr Len
130.216.54.18	130.216.206.186	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	518	58822	2	0	126	2734

Resolved Source
sgm18.phy.auckland.ac.nz

Resolved Dest
horace.phyt.auckland.ac.nz

TCP
--------
Source Port	Dest Port	Seq		Ack		
3927		445		1807284775	1451020825
Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
5	0		24	64319	58281		0

Options
--------
None


Flags
--------
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X	X				

DATA
--------
000001DAFF534D422500	.....SMB%.
0000001807C800000000	..........
00000000000000000730	.........0
78050360C00110000086	x..`......
01000000040000000000	..........
00000000000000540086	.......T..
015400020026000D4097	.T...&.. at ...180...
01005C00500049005000	..\.P.I.P.
45005C00000000000500	E.\.......
00031000000086010000	..........
010000006E0100000000	....n.....
4600B0FEF50009000000	F.........
00000000090000005C00	........\.
5C0048004F0052004100	\.H.O.R.A.
43004500000008000100	C.E.......
000001000000D8F1F500	..........
18100000E8F1F5000CFA	..........
F5006811150133000000	..h...3...
00000000330000005C00	....3...\.
5C00530047004D003100	\.S.G.M.1.
38005C00410064006F00	8.\.A.d.o.
62006500200050004400	b.e. .P.D.
46002C00410064006F00	F.,.A.d.o.
62006500200050004400	b.e. .P.D.
4600200043006F006E00	F. .C.o.n.
76006500720074006500	v.e.r.t.e.
72002C004D0079002000	r.,.M.y. .
44006F00630075006D00	D.o.c.u.m.
65006E00740073000000	e.n.t.s...
73001200000000000000	s.........
120000005C005C005300	....\.\.S.
47004D00310038005C00	G.M.1.8.\.
410064006F0062006500	A.d.o.b.e.
20005000440046000000	 .P.D.F...
0D000000000000000D00	..........
00003F003F0020004100	..?.?. .A.
64006F00620065002000	d.o.b.e. .
50004400460000004600	P.D.F...F.
00000000000000000000	..........
00000000000001000000	..........
01000000C8EAF5001C00	..........
00009087B6002CEBF500	......,...
280A0000030000000000	(.........
00000000000008000000	..........
00000000080000005C00	........\.
5C00530047004D003100	\.S.G.M.1.
38000000010000000000	8.........
0000010000000000	........

DATA
--------
.....SMB%....................0x..`.......................T..
.T...&.. at ...253...\.P.I.P.E.\.....................n.....F.........
........\.\.H.O.R.A.C.E.............................h...3...
....3...\.\.S.G.M.1.8.\.A.d.o.b.e. .P.D.F.,.A.d.o.b.e. .P.D.
F. .C.o.n.v.e.r.t.e.r.,.M.y. .D.o.c.u.m.e.n.t.s...s.........
....\.\.S.G.M.1.8.\.A.d.o.b.e. .P.D.F...............?.?. .A.
d.o.b.e. .P.D.F...F.....................................,...
(...........................\.\.S.G.M.1.8.................




More information about the Snort-sigs mailing list