No subject


Thu Nov 23 16:36:19 EST 2017


worm.  I imagine that url in the rule will have one.

Hope this helps,

-Joe M.

-- 
Joe McAlerney
Software Developer / Security Consultant
joey at ...47...
Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/

> John Rodley wrote:
> 
> I'm a new snort user managing a small corporate network.  I need
> confirmation that my interpretation of this snort alert is correct.
> 
> syslog entry:
> 12-05-2001 09:00:25 Auth.Alert a.a.a.a    snort[588]: [1:1294:2]
> NETBIOS nimda .nws [Classification: Potentially Bad Traffic]
> [Priority: 2]: {TCP} a.b.c.d:4003 -> w.x.y.z:139
> 
> snort log entry:
> [**] NETBIOS nimda .nws [**]
> 12/05-08:28:37.632972 a.b.c.d:4003 -> w.x.y.z:139
> TCP TTL:128 TOS:0x0 ID:48598 IpLen:20 DgmLen:636 DF
> ***AP*** Seq: 0xDF858CCB  Ack: 0x48C607FC  Win: 0x40A7  TcpLen: 20
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> netbios.rule being triggered
> alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda
> .nws"; content:"|00|N|00|W|00|S"; flags:A+; classtype:bad-unknown;
> reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294;
> rev:2;)
> My interpretation of this is that a.b.c.d transmitted the string "NWS"
> over a connection from source port 4003 to destination port 139 on
> w.x.y.z.  Would that be correct?
> 
> Suspecting this is a false positive since both machines scan clean.
> 
> John Rodley
> 
>




More information about the Snort-users mailing list