[Snort-sigs] FP for NETBIOS SMB-DS winreg OpenKey unicode little endian overflow attempt,Sig ID,3228

Russell Fulton r.fulton at ...575...
Sun Mar 5 16:56:11 EST 2006


I am seeing several thousand hits a day coming from our Symantec AV
server to a handful of hosts.

As usual I'm happy to supply session data.

Russell

META
--------
SID	CID	TimeStamp		Signature
1	3934707	2006-03-05 09:52:22	NETBIOS SMB-DS winreg OpenKey unicode
little endian overflow attempt
Sig ID
3228

Sensor Hostname				Sensor Interface
monitor-itss.insec.auckland.ac.nz	ITSS sector switch

IP
--------
Source Address	Dest Address	Ver	Hdr Len
130.216.190.16	130.216.193.34	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	240	26081	2	0	124	4931

Resolved Source
symantec.auckland.ac.nz

Resolved Dest
b.oliver3.sat.auckland.ac.nz

TCP
--------
Source Port	Dest Port	Seq		Ack		
2722		445		1216340687	3983244039
Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
5	0		24	63839	13871		0

Options
--------
None


Flags
--------
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X	X				

DATA
--------
000000C4FF534D422500	.....SMB%.
0000001807C800000000	..........
00000000000000000008	..........
D4010008102610000070	.....&...p
00000000040000000000	..........
00000000000000540070	.......T.p
005400020026000F0081	.T...&....
00005C00500049005000	..\.P.I.P.
45005C00000000000500	E.\.......
00031000000070001000	......p...
03000000340000000000	....4.....
0F004F3765B7EB1E2807	..O7e...(.
D64B893D6A57FD8E8C18	.K.=jW....
08587C30198D9EAFDFED	.X|0......
2434891DC4153A865A1C	$4....:.Z.
0CE6B3F51A6AD7CEF1DE	.....j....
3AE13FE9CE7C478EF858	:.?..|G..X
7FBC30CA36EB09060C00	..0.6.....
00000000010000002496	........$.
3DF5017C54BC02000000	=..|T.....

DATA
--------
.....SMB%..........................&...p.................T.p
.T...&......\.P.I.P.E.\.............p.......4.......O7e...(.
.K.=jW.....X|0......$4....:.Z......j....:.?..|G..X..0.6.....
........$.=..|T.....




More information about the Snort-sigs mailing list