[Snort-users] whatis database

amp amp at
Fri Sep 22 20:18:25 EDT 2000


I'd like to know if someone out there knows where a good place would be to look
up some of the things that snort is flagging.

For instance,  I see a bunch of these daily.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] IDS177/netbios-name-query [**]
09/22-04:09:05.968366 24.66.234.242:137 -> 24.7.237.246:137
UDP TTL:114 TOS:0x0 ID:8267
Len: 58
16 03 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I looked around the snort site, and various other places linked off the page to
see exactly what it is. My guess it's just a Win machine firing up on my local
network doing a netbios query, but I can't seem to locate a place where the
stuff that is flagged in the vision.rules file is documented for =why= a given
packet is logged as opposed to others.

More critically, I got one today that says...
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
/var/log/snort $ cat 24.7.237.246/TCP:3791-1115
[**] IDS42/trojan-active-totaleclipse [**]
09/21-21:51:09.784529 24.7.237.246:3791 -> 24.27.96.210:1115
TCP TTL:64 TOS:0x0 ID:21024  DF
**S***A* Seq: 0x6593A1EC   Ack: 0x53A6C7   Win: 0x7D78
TCP Options => MSS: 1460 NOP NOP SackOK
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



More information about the Snort-users mailing list