[Snort-users] Re: Confused about rules and logs

b311b-snort at ...6044... b311b-snort at ...6044...
Mon May 10 05:51:01 EDT 2004


On Mon, 10 May 2004 04:11:12 -0700 (PDT)
Richard Bejtlich wrote:

> I strongly recommend you upgrade to a version of Snort
> not found in the www.snort.org/dl/do_not_use/
> directory.  The version you are running is vulnerable
> to several exploits.
> (www.cert.org/advisories/CA-2003-13.html)

Thanks.  I'm looking into upgrading my NetBSD firewall to the latest
version of NetBSD... but it's going to take a while.  In the meantime, I'd really like to figure out what's so different about this one Windows workstation.  I have three other Windows PC's on my small network and
this is the only one that's giving me trouble.

I'll take a look at Ethereal... hopefully I'll be able to figure out
how to do what you're asking, but in the meantime, here's some more
info. I restarted snort with the -I flag. At that point, I started
getting new messages in /var/log/snort/portscan that look like this:

May 10 00:11:21 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:11:28 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:11:35 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:11:42 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:11:50 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:11:57 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:12:04 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:12:14 192.168.2.66:137 -> 192.168.2.255:137 UDP

I suspected the traffic had something to do with NetBIOS and this
confirms it.

192.168.2.66 is a Linux box that's providing DHCP and SMB services for
my network.  I have Samba set up to act as an NT domain controller.  192.168.2.252 is a Windows box that's generating messages in
/var/log/snort/log that look like this:

[**] spp_portscan: portscan status from 192.168.2.252: 3 connections across 3 hosts: TCP(0), UDP(3) [**]
[**] spp_portscan: portscan status from 192.168.2.252: 4 connections across 3 hosts: TCP(0), UDP(4) [**]
[**] spp_portscan: portscan status from 192.168.2.252: 2 connections across 2 hosts: TCP(0), UDP(2) [**]
[**] spp_portscan: portscan status from 192.168.2.252: 2 connections across 2 hosts: TCP(0), UDP(2) [**]

All of my Windows boxes on the network maintain mapped network drives,
use domain logins, etc.  They're all configured exactly the same way,
but this is the only one that generates the messages.

Brenda Bell
Henniker (the only one on earth)
New Hampshire (the state with 5 seasons: black fly, tourist, foliage, ski and mud)






More information about the Snort-users mailing list