[Snort-users] Very interesting packet

Toby Miller infowar at ...71...
Tue Aug 1 23:57:16 EDT 2000

Judy Novak wrote up a great analysis of the netbios name conflicts you can
locate it at http://www.sans.org/y2k/061500.htm

-----Original Message-----
From: Bill Pennington <billp at ...60...>
To: fyodor at ...123... <fyodor at ...123...>
Cc: Todd Ransom <TRansom at ...197...>; Lance Spitzner
<lance at ...185...>; Snort-Users (E-mail)
<snort-users at lists.sourceforge.net>
Date: Monday, July 31, 2000 11:27 AM
Subject: Re: [Snort-users] Very interesting packet

>Another thought...
>The NAI guys released this advisory on the 27th. Since I doubt NAI
>releases exploit code perhaps someone already knew of this vulnerabilty
>or they saw this and got an idea. It is basicly a DOS using Netbios Name
>Conflict packets.
>Just another guess :-)
>Fyodor wrote:
>> ~ :Anyone know how to decode the NetBIOS data in the packet?
>> if you are talking about those funky `CACACA..` strings in the packets,
>> then the basic idea would be:
>> you substitute 0x41 from each pair of characters in the packet and then
>> or them like final = (a << 4) | b; (and you will get 0x20 for each `CA'
>> pair ;-))
>> for `descrambling' the whole netbios packet(s) have a look on rfc 1001,
>> 1002. They are old but do not seem to be obsoleted yet.
>Bill Pennington
>Senior IT Manager
>billp at ...60...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list