[Snort-users] Strange Traffic Flow

Frank Knobbe frank at ...9761...
Fri Oct 14 17:05:28 EDT 2005

On Fri, 2005-10-14 at 07:02 -0700, Theodore Stout wrote:
> It's claiming that one host is sending large ICMP
> packets to my DC, and the DC answers back with the
> same large ICMP packet. 
> Why would that be?

That's normal. Google for "slow link detection domain controller".

> The host starts the conversation with the server
> requesting "NETBIOS SMB-DS IPC$ unicode share access"
> Then it takes a short while and either this machine
> does it again, or it's another machine trying. Does
> anyone know why this might be happening?

Depends on your network. I consider the Snort SMB signatures to be
informational at best, especially the "share access" ones. You need to
follow the motions though.... investigate, understand, tune.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051014/538a3f19/attachment.sig>

More information about the Snort-users mailing list