[Snort-users] netbios rules question
sekure at ...11827...
Tue Nov 30 11:31:14 EST 2004
well, NETBIOS SMB-DS IPC$ share unicode access is perfectly innocuos.
Windows machines routinely connect to each-other's IPC shares
(Inter-processor Communications). So I wouldn't worry about it too
much. Others may disagree, but what I do with this rule is threashold
it so that i only alerts on machines that trigger this rule more than
5 times in 60 seconds. I am hoping that if there is a worm or an
automatic exploit, this rule will help me catch it, while at the same
time suppressing the day to day regular communication.
The other alert has been generating a large number of false positives
for me, so I suppressed it. If you look at the description it seems
to only affect ISS (NOT IIS) servers.
On Tue, 30 Nov 2004 14:13:07 -0500, rkejariwal at ...12730...
<rkejariwal at ...12730...> wrote:
> Hi All
> I had a question regarding netbios rules. Lately I have been receiving a lot
> of the alerts as shown below where A.A.A.A and B.B.B.B are all internal
> hosts to my network. In addition B.B.B.B is the IP address of our domain
> controller. Is this merely false positiive or something i should be
> concerned about. How do I go abt troubleshooting further to see what exactly
> is happenig. Any help will be appreciated
> [**] [1:2466:4] NETBIOS SMB-DS IPC$ share unicode access [**]
> [Classification: Generic Protocol Command Decode] [Priority: 3]
> 11/30-14:05:00.173386 A.A.A.A:1105 -> B.B.B.B:139
> TCP TTL:128 TOS:0x0 ID:22636 IpLen:20 DgmLen:128 DF
> ***AP*** Seq: 0xD1482D9A Ack: 0x4A54B89D Win: 0xFFFF TcpLen: 20
> [**] [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
> overflow attempt [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> 11/30-14:05:00.163386 A.A.A.A:1105 -> B.B.B.B:445
> TCP TTL:128 TOS:0x0 ID:22635 IpLen:20 DgmLen:1440 DF
> ***AP*** Seq: 0xD1482822 Ack: 0x4A54B769 Win: 0xFAB7 TcpLen: 20
> [Xref => http://www.eeye.com/html/research/advisories/ad20040226.html][Xref
> => http://www.securityfocus.com/bid/9752]
More information about the Snort-users