[Snort-users] netbios rules question

Esler, Joel - Contractor joel.esler at ...9426...
Tue Nov 30 11:29:07 EST 2004


I would most likely say that these are information signatures.  They
aren't false positive, but if you do alot of drive/network shares and
stuff like that, you're going to see that kind of thing.
 
Joel

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
RKejariwal at ...12730...
Sent: Tuesday, November 30, 2004 2:13 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] netbios rules question



Hi All 
I had a question regarding netbios rules. Lately I have been receiving a
lot of the alerts as shown below where A.A.A.A and B.B.B.B are all
internal hosts to my network. In addition B.B.B.B is the IP address of
our domain controller.  Is this merely false positiive or something i
should be concerned about. How do I go abt troubleshooting further to
see what exactly is happenig. Any help will be appreciated 

Thanks 
Ravi 

[**] [1:2466:4] NETBIOS SMB-DS IPC$ share unicode access [**] 
[Classification: Generic Protocol Command Decode] [Priority: 3] 
11/30-14:05:00.173386 A.A.A.A:1105 -> B.B.B.B:139 
TCP TTL:128 TOS:0x0 ID:22636 IpLen:20 DgmLen:128 DF 
***AP*** Seq: 0xD1482D9A  Ack: 0x4A54B89D  Win: 0xFFFF  TcpLen: 20 

[**] [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode
username overflow attempt [**] 
[Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
11/30-14:05:00.163386  A.A.A.A:1105 -> B.B.B.B:445 
TCP TTL:128 TOS:0x0 ID:22635 IpLen:20 DgmLen:1440 DF 
***AP*** Seq: 0xD1482822  Ack: 0x4A54B769  Win: 0xFAB7  TcpLen: 20 
[Xref =>
http://www.eeye.com/html/research/advisories/ad20040226.html][Xref =>
http://www.securityfocus.com/bid/9752] 













The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you
received this in error, please contact the sender and delete the
material from any computer.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041130/d4b90715/attachment.html>


More information about the Snort-users mailing list