No subject


Thu Nov 23 16:36:19 EST 2017


 After seeing a lot of NetBIOS node-status probes in my firewall logs,
 I discovered that many NT servers apparently do a reverse DNS lookup
 by sending a NetBIOS node-status query.  This is documented at:

         http://support.microsoft.com/support/kb/articles/Q154/5/53.ASP

  Chris.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bill
Pennington
Sent: Wednesday, December 13, 2000 11:01 AM
To: Dr SuSE
Cc: Snort Users
Subject: Re: [Snort-users] RFC1918 traffic


I believe the traffic you are seeing is due to a bug in Windows name
resolution. If an NT machine tries to resolve an IP address it tries
DNS, then WINS. In the case of a dual homed machine this also causes the
machine to send Netbios resolution packets from all interfaces. This is
most likely what you encountered. I can't find the MS article on this
issue at the moment.

I have been thinking about writing something that would force a machine
with this bug to give up internal IP addresses but have not had time to
pursue it.

Dr SuSE wrote:
>
> At the place of my current employment one of my tasks is to review alerts
sent
> to me our firewall and from that information I'm expected to determine
what
> would be hackers are up to without having access to the full firewall
logs.
>
> Yesterday I got an alert and noticed something was not right.  Packets
were
> being dropped which had a source IP of 192.168.0.1  Here is the alert sent
to
> me.
> ===================================
> 11Dec2000 18:21:07 drop firewall > btlan01 useralert proto tcp src
192.168.0.1
> dst machine.my.domain.com service port135 s_port 1047 len 48 rule 44
> ====================================
>
> There are a total of three of these and they are all identical and all
came in
> within a few seconds of each other.
>
> I talked to Marty about this last night on #snort and he provided much
help as
> to how an RFC1918 IP could show up on the Internet side of the firewall.
> Thanks again for the info Marty.
>
> So, last night I wrote a rule to detect TCP,ICMP and UDP traffic from
RFC1918
> IP's.  I'm not sure how useful the rules will be but I figured I'd share
the
> info and maybe get some feedback from the rest of you Snort users and in
the
> process learn something.  I'm sorry I dont have any more information other
than
> the email alert but that's all I have access to.
>
> Anyway, to the rules.
>
> In snort.conf I created a variable which has the value of the private IP's
as
> specified by RFC 1918
>
> var RFC1918 [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
>
> Then in the rules file I simply added these rules.
>
> alert TCP $RFC1918 any -> $INTERNAL any (msg: "TCP Traffic from RFC1918
IP";)
> alert UDP $RFC1918 any -> $INTERNAL any (msg: "UDP Traffic from RFC1918
IP";)
> alert ICMP $RFC1918 any -> $INTERNAL any (msg: "ICMP Traffic from RFC1918
IP";)
>
> ---------------------------------------------
> Microsoft ist nicht installiert.
> http://www.drsuse.org/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--


Bill Pennington - CISSP
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list