[Snort-users] Very interesting packet

Toby Miller infowar at ...71...
Tue Aug 1 23:57:16 EDT 2000


Judy Novak wrote up a great analysis of the netbios name conflicts you can
locate it at http://www.sans.org/y2k/061500.htm


Toby
-----Original Message-----
From: Bill Pennington <billp at ...60...>
To: fyodor at ...123... <fyodor at ...123...>
Cc: Todd Ransom <TRansom at ...197...>; Lance Spitzner
<lance at ...185...>; Snort-Users (E-mail)
<snort-users at lists.sourceforge.net>
Date: Monday, July 31, 2000 11:27 AM
Subject: Re: [Snort-users] Very interesting packet


>Another thought...
>
>The NAI guys released this advisory on the 27th. Since I doubt NAI
>releases exploit code perhaps someone already knew of this vulnerabilty
>or they saw this and got an idea. It is basicly a DOS using Netbios Name
>Conflict packets.
>
>Just another guess :-)
>
>
>http://packetstorm.securify.com/advisories/nai/COVERT-2000-09.netbios
>
>Fyodor wrote:
>>
>> ~ :Anyone know how to decode the NetBIOS data in the packet?
>>
>> if you are talking about those funky `CACACA..` strings in the packets,
>> then the basic idea would be:
>> you substitute 0x41 from each pair of characters in the packet and then
>> or them like final = (a << 4) | b; (and you will get 0x20 for each `CA'
>> pair ;-))
>>
>> for `descrambling' the whole netbios packet(s) have a look on rfc 1001,
>> 1002. They are old but do not seem to be obsoleted yet.
>
>--
>
>
>Bill Pennington
>Senior IT Manager
>Rocketcash
>billp at ...60...
>http://www.rocketcash.com
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>http://lists.sourceforge.net/mailman/listinfo/snort-users





More information about the Snort-users mailing list