[Snort-users] NETBIOS SMB winreg access (unicode)

larosa, vjay larosa_vjay at ...3331...
Wed Apr 14 11:29:02 EDT 2004


This server is testing to see if it can remotely access the registry over
the network. If winreg can be remotely accessed then the requesting server
will have access across the network to view/modify the registry remotely.

vjl

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Perrymon, Josh
L.
Sent: Wednesday, April 14, 2004 1:40 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] NETBIOS SMB winreg access (unicode)

I see a lot of NETBIOS SMB winreg access (unicode)  alerts on my Frame side.
Does anyone else see this on their network. I have 28,000 hits in 3 days
from a proxy server going to 50 destinations on my network.

payload:

length = 104

000 : 00 00 00 64 FF 53 4D 42 A2 00 00 00 00 18 07 C8   ...d.SMB........
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 28 14 04   .............(..
020 : 01 48 42 EB 18 FF 00 DE DE 00 0E 00 16 00 00 00   .HB.............
030 : 00 00 00 00 9F 01 02 00 00 00 00 00 00 00 00 00   ................
040 : 00 00 00 00 03 00 00 00 01 00 00 00 40 00 00 00   ............ at ...979...
050 : 02 00 00 00 03 11 00 00 5C 00 77 00 69 00 6E 00   ........\.w.i.n.
060 : 72 00 65 00 67 00 00 00                           r.e.g...


Does this look normal?


JP  


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list