[Snort-users] netbios rules question

RKejariwal at ...12730... RKejariwal at ...12730...
Tue Nov 30 11:14:01 EST 2004


Hi All
I had a question regarding netbios rules. Lately I have been receiving a 
lot of the alerts as shown below where A.A.A.A and B.B.B.B are all 
internal hosts to my network. In addition B.B.B.B is the IP address of our 
domain controller.  Is this merely false positiive or something i should 
be concerned about. How do I go abt troubleshooting further to see what 
exactly is happenig. Any help will be appreciated

Thanks
Ravi

[**] [1:2466:4] NETBIOS SMB-DS IPC$ share unicode access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3] 
11/30-14:05:00.173386 A.A.A.A:1105 -> B.B.B.B:139
TCP TTL:128 TOS:0x0 ID:22636 IpLen:20 DgmLen:128 DF
***AP*** Seq: 0xD1482D9A  Ack: 0x4A54B89D  Win: 0xFFFF  TcpLen: 20

[**] [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username 
overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
11/30-14:05:00.163386  A.A.A.A:1105 -> B.B.B.B:445
TCP TTL:128 TOS:0x0 ID:22635 IpLen:20 DgmLen:1440 DF
***AP*** Seq: 0xD1482822  Ack: 0x4A54B769  Win: 0xFAB7  TcpLen: 20
[Xref => 
http://www.eeye.com/html/research/advisories/ad20040226.html][Xref => 
http://www.securityfocus.com/bid/9752]













The information transmitted is intended only for the person or entity to 
which it is addressed and may contain confidential and/or privileged 
material.  Any review, retransmission, dissemination or other use of, or 
taking of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited.   If you 
received this in error, please contact the sender and delete the material 
from any computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041130/427aced9/attachment.html>


More information about the Snort-users mailing list