[Snort-users] NETBIOS SMB winreg access (unicode)

Perrymon, Josh L. PerrymonJ at ...8353...
Wed Apr 14 10:41:00 EDT 2004


I see a lot of NETBIOS SMB winreg access (unicode)  alerts on my Frame side.
Does anyone else see this on their network. I have 28,000 hits in 3 days
from a proxy server going to 50 destinations on my network.

payload:

length = 104

000 : 00 00 00 64 FF 53 4D 42 A2 00 00 00 00 18 07 C8   ...d.SMB........
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 28 14 04   .............(..
020 : 01 48 42 EB 18 FF 00 DE DE 00 0E 00 16 00 00 00   .HB.............
030 : 00 00 00 00 9F 01 02 00 00 00 00 00 00 00 00 00   ................
040 : 00 00 00 00 03 00 00 00 01 00 00 00 40 00 00 00   ............ at ...979...
050 : 02 00 00 00 03 11 00 00 5C 00 77 00 69 00 6E 00   ........\.w.i.n.
060 : 72 00 65 00 67 00 00 00                           r.e.g...


Does this look normal?


JP  




More information about the Snort-users mailing list