[Snort-users] netbios rules question

sekure sekure at ...11827...
Tue Nov 30 11:31:14 EST 2004


well, NETBIOS SMB-DS IPC$ share unicode access is perfectly innocuos. 
Windows machines routinely connect to each-other's IPC shares
(Inter-processor Communications).  So I wouldn't worry about it too
much.  Others may disagree, but what I do with this rule is threashold
it so that i only alerts on machines that trigger this rule more than
5 times in 60 seconds.  I am hoping that if there is a worm or an
automatic exploit, this rule will help me catch it, while at the same
time suppressing the day to day regular communication.

The other alert has been generating a large number of false positives
for me, so I suppressed it.  If you look at the description it seems
to only affect ISS (NOT IIS) servers.

Good luck

On Tue, 30 Nov 2004 14:13:07 -0500, rkejariwal at ...12730...
<rkejariwal at ...12730...> wrote:
> 
> Hi All 
> I had a question regarding netbios rules. Lately I have been receiving a lot
> of the alerts as shown below where A.A.A.A and B.B.B.B are all internal
> hosts to my network. In addition B.B.B.B is the IP address of our domain
> controller.  Is this merely false positiive or something i should be
> concerned about. How do I go abt troubleshooting further to see what exactly
> is happenig. Any help will be appreciated 
> 
> Thanks 
> Ravi 
> 
> [**] [1:2466:4] NETBIOS SMB-DS IPC$ share unicode access [**] 
> [Classification: Generic Protocol Command Decode] [Priority: 3] 
> 11/30-14:05:00.173386 A.A.A.A:1105 -> B.B.B.B:139 
> TCP TTL:128 TOS:0x0 ID:22636 IpLen:20 DgmLen:128 DF 
> ***AP*** Seq: 0xD1482D9A  Ack: 0x4A54B89D  Win: 0xFFFF  TcpLen: 20 
> 
> [**] [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
> overflow attempt [**] 
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
> 11/30-14:05:00.163386  A.A.A.A:1105 -> B.B.B.B:445 
> TCP TTL:128 TOS:0x0 ID:22635 IpLen:20 DgmLen:1440 DF 
> ***AP*** Seq: 0xD1482822  Ack: 0x4A54B769  Win: 0xFAB7  TcpLen: 20 
> [Xref => http://www.eeye.com/html/research/advisories/ad20040226.html][Xref
> => http://www.securityfocus.com/bid/9752]




More information about the Snort-users mailing list