[Snort-users] NT Null sessions [newbie]

Fyodor fygrave at ...121...
Wed Jan 3 04:34:30 EST 2001


On Wed, Jan 03, 2001 at 11:13:55AM +0200, Langa Kentane wrote:
> Greetings.
> I am getting the following in my logs:
> [**] IDS204 - NT NULL session [**]
> 01/03-09:29:32.422507 172.24.146.38:1037 -> 172.24.155.146:139
> TCP TTL:127 TOS:0x0 ID:5141  DF
> *****PA* Seq: 0xDAB92   Ack: 0x7EF6A3D5   Win: 0x21C1
> 
> What does this mean, does this need to be logged?
> I am using the snortfull.conf  I got from snort.org.  Should I perhaps try
> and make custom ones from their web interface that will exclude netbios?
> Will that not be a problem in the sense that netbios attacks will not be
> logged?
> 

check out this url for NT NULL session explanations:
http://support.microsoft.com/support/kb/articles/Q143/4/74.asp

if you don't care of your win boxes (or don't have them) it shouldn't
be a problem to customise your ruleset and remote NetBIOS support from it :)
    
-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-users mailing list