[Snort-users] Strange Traffic Flow

Theodore Stout theodorestout at ...131...
Fri Oct 14 07:03:46 EDT 2005


I got this strange message with Snort

It's claiming that one host is sending large ICMP
packets to my DC, and the DC answers back with the
same large ICMP packet. 
Why would that be?
Another thing I keep getting is between a host and a
server is this;
The host starts the conversation with the server
requesting "NETBIOS SMB-DS IPC$ unicode share access"
from port 1442 to 445 (Priority 3).
The server answers by doing "NETBIOS SMB Session Setup
AndX request unicode username overflow attempt" to the
host from port 2064 to 139 (Priority 1).
The conversation between the machines end with the
server asking for "NETBIOS SMB IPC$ unicode share
access" on port 2064 to port 139 (priority 3).

Then it takes a short while and either this machine
does it again, or it's another machine trying. Does
anyone know why this might be happening?



More information about the Snort-users mailing list