[Snort-users] false alarm or not ?
solar_liu at ...8882...
Tue Apr 29 02:04:07 EDT 2003
I encountered a strange question. I will describe as following:
I have two computers, snort2.0 is installed on linux, which is configured as my firewall. The other computer installs Windows XP Pro. Now I have run snort on the firewall. I found that snort alerted as following every 6 minutes:
[**] [1:466:1] ICMP L3retriever Ping [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/29-16:53:50.313874 18.104.22.168 -> 22.214.171.124
ICMP TTL:32 TOS:0x0 ID:42625 IpLen:20 DgmLen:60
Type:8 Code:0 ID:512 Seq:29440 ECHO
[Xref => http://www.whitehats.com/info/IDS311]
[**] [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [**]
[Classification: Detection of a Denial of Service Attack] [Priority: 2]
04/29-16:53:54.836918 126.96.36.199:3916 -> 188.8.131.52:139
TCP TTL:128 TOS:0x0 ID:42635 IpLen:20 DgmLen:162 DF
***AP*** Seq: 0xA7872F3A Ack: 0x54CB2BFA Win: 0xF775 TcpLen: 20
[Xref => http://www.corest.com/common/showdoc.php?idx=262]
[Xref=>http://www.microsoft.com/technet/security/bulletin/MS02-045.asp][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?
I wondered if my computer is infected by viruses, or the packet that Windows system sent is normal, and snort false alarm. If it's the later, how can I deal with it?
Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users