[Snort-users] Help with a particular alert

Paul Martin pmartin at ...11611...
Mon Sep 20 13:23:03 EDT 2004


Yeah, that WOULD make sense, wouldn't it?  =)  Here's what I get from 
ACID, under the "Payload" section:

 length = 226

000 : 00 00 00 DE FF 53 4D 42 73 00 00 00 00 18 07 C8   .....SMBs.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE   ................
020 : 00 00 40 00 0D 75 00 A8 00 04 11 32 00 00 00 00   .. at ...12455...
030 : 00 00 00 01 00 00 00 00 00 00 00 D4 00 00 00 6B   ...............k
040 : 00 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00   ......W.i.n.d.o.
050 : 77 00 73 00 20 00 53 00 65 00 72 00 76 00 65 00   w.s. .S.e.r.v.e.
060 : 72 00 20 00 32 00 30 00 30 00 33 00 20 00 33 00   r. .2.0.0.3. .3.
070 : 37 00 39 00 30 00 00 00 00 00 57 00 69 00 6E 00   7.9.0.....W.i.n.
080 : 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 00   d.o.w.s. .S.e.r.
090 : 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 00   v.e.r. .2.0.0.3.
0a0 : 20 00 35 00 2E 00 32 00 00 00 00 00 04 FF 00 DE    .5...2.........
0b0 : 00 08 00 01 00 2B 00 00 5C 00 5C 00 32 00 32 00   .....+..\.\.2.2.
0c0 : 36 00 30 00 36 00 33 00 32 00 2D 00 43 00 42 00   6.0.6.3.2.-.C.B.
0d0 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F   \.I.P.C.$...????
0e0 : 3F 00                                             ?.

To my untrained eye, it seems innocuous enough, like a Win2k3 
announcement or something, but maybe someone else can decipher it better 
for me.  Thanks again.

Paul Martin
Network Technician
Hilton Grand Vacations Co.
(407) 393-3034
pmartin at ...11611...



Scott Zawalski wrote:

> There is no way for us to tell if it is a false positive without 
> actual packet data. Just X out the IPs and post it.
>
> Scott
>
>
> Paul Martin wrote:
>
>> Ok, this is really bugging me. I've got 2 systems on our network that 
>> are continually spewing out something that's tripping this rule:
>>
>> Sep 17 08:19:55 hgvsnort snort: [1:2382:13] NETBIOS SMB DCERPC 
>> NTLMSSP asn1 overflow attempt [Classification: Attempted 
>> Administrator Privilege Gain] [Priority: 1]: {TCP} <IP address 
>> A>:2622 -> <IP address B>:139
>>
>>
>> I'm familiar with the ASN1 overflow attack, which is why I'm little 
>> nervous that I'm seeing it on my network.  Now, both <IP address A> 
>> and <IP address B> are internal IPs.  And <IP address B> is always 
>> one of 3 systems: both DNS servers, and a random client.  They've got 
>> the most current anti-virus and have been scanned for spyware.  What 
>> is it that I'm missing?  Could it be a false positive?  I don't 
>> really think it is, but I'm open to suggestion at this point.
>>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list