<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">


<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 10">
<meta name=Originator content="Microsoft Word 10">
<link rel=File-List href="cid:filelist.xml@...12731...">
<title>Message</title>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
 name="PersonName"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
 name="place" downloadurl="http://www.5iantlavalamp.com/"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
 name="time"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
 name="date"/>
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:Compatibility>
   <w:ApplyBreakingRules/>
   <w:UseFELayout/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]--><!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;
        mso-font-alt:\5B8B\4F53;
        mso-font-charset:134;
        mso-generic-font-family:auto;
        mso-font-pitch:variable;
        mso-font-signature:3 135135232 16 0 262145 0;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;
        mso-font-charset:0;
        mso-generic-font-family:swiss;
        mso-font-pitch:variable;
        mso-font-signature:1627421319 -2147483648 8 0 66047 0;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;
        mso-font-charset:0;
        mso-generic-font-family:swiss;
        mso-font-pitch:variable;
        mso-font-signature:536871559 0 0 0 415 0;}
@font-face
        {font-family:"\@SimSun";
        panose-1:2 1 6 0 3 1 1 1 1 1;
        mso-font-charset:134;
        mso-generic-font-family:auto;
        mso-font-pitch:variable;
        mso-font-signature:3 135135232 16 0 262145 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {mso-style-parent:"";
        margin:0in;
        margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:12.0pt;
        font-family:"Times New Roman";
        mso-fareast-font-family:SimSun;}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;
        text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;
        text-underline:single;}
span.EmailStyle17
        {mso-style-type:personal;
        mso-style-noshow:yes;
        font-family:Arial;
        mso-ascii-font-family:Arial;
        mso-hansi-font-family:Arial;
        mso-bidi-font-family:Arial;
        color:navy;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        mso-style-noshow:yes;
        mso-ansi-font-size:10.0pt;
        mso-bidi-font-size:10.0pt;
        font-family:Verdana;
        mso-ascii-font-family:Verdana;
        mso-hansi-font-family:Verdana;
        color:blue;
        font-weight:normal;
        font-style:normal;
        text-decoration:none;
        text-underline:none;
        text-decoration:none;
        text-line-through:none;}
span.SpellE
        {mso-style-name:"";
        mso-spl-e:yes;}
span.GramE
        {mso-style-name:"";
        mso-gram-e:yes;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;
        mso-header-margin:.5in;
        mso-footer-margin:.5in;
        mso-paper-source:0;}
div.Section1
        {page:Section1;}
 /* List Definitions */
 @list l0
        {mso-list-id:783158782;
        mso-list-type:hybrid;
        mso-list-template-ids:-2011892368 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1
        {mso-list-id:1281454674;
        mso-list-type:hybrid;
        mso-list-template-ids:-807910714 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
        {mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level2
        {mso-level-tab-stop:1.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-tab-stop:1.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level4
        {mso-level-tab-stop:2.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-tab-stop:2.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-tab-stop:3.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level7
        {mso-level-tab-stop:3.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-tab-stop:4.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-tab-stop:4.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2
        {mso-list-id:2129200057;
        mso-list-type:hybrid;
        mso-list-template-ids:-1458541568 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
        {mso-level-text:"%1\)";
        mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level2
        {mso-level-tab-stop:1.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level3
        {mso-level-tab-stop:1.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level4
        {mso-level-tab-stop:2.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level5
        {mso-level-tab-stop:2.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level6
        {mso-level-tab-stop:3.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level7
        {mso-level-tab-stop:3.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level8
        {mso-level-tab-stop:4.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level9
        {mso-level-tab-stop:4.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */ 
 table.MsoNormalTable
        {mso-style-name:"Table Normal";
        mso-tstyle-rowband-size:0;
        mso-tstyle-colband-size:0;
        mso-style-noshow:yes;
        mso-style-parent:"";
        mso-padding-alt:0in 5.4pt 0in 5.4pt;
        mso-para-margin:0in;
        mso-para-margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:10.0pt;
        font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple style='tab-interval:.5in'>

<div class=Section1>

<p class=MsoNormal><st1:place><span class=SpellE><font size=2 face=Verdana><span
 style='font-size:10.0pt;font-family:Verdana'>Ravi</span></font></span></st1:place><font
size=2 face=Verdana><span style='font-size:10.0pt;font-family:Verdana'>,<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'>There is always a conflict between: <o:p></o:p></span></font></p>

<ol style='mso-margin-top-alt:0in' start=1 type=1>
 <li class=MsoNormal style='mso-list:l0 level1 lfo5;tab-stops:list .5in'><font
     size=2 face=Verdana><span style='font-size:10.0pt;font-family:Verdana'>I
     want to have rules that monitor almost everything that is interesting,
     and, <o:p></o:p></span></font></li>
 <li class=MsoNormal style='mso-list:l0 level1 lfo5;tab-stops:list .5in'><font
     size=2 face=Verdana><span style='font-size:10.0pt;font-family:Verdana'>I
     don’t want to have rules that generate too many alerts. <o:p></o:p></span></font></li>
</ol>

<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'>SFS is a tool that enables you to enjoy both worlds. With
SFS you can leave your ‘noisy’ rules active and have SFS build the
‘normal’ behavior of these rules into its behavioral model. From
that time, alerts that match the normal activity will be given a ‘low
priority’ by SFS and more importantly, if these rules generate alerts
that deviate from the normal activity, SFS will identify it and will give these
alerts (although coming from the same rule!!!) high priority. <o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'>In your case, if you apply SFS, you will still be able to
see the A.A.A.A and B.B.B.B alerts on the report, but if these alerts are
normal to the activity of your system, they will be assigned a low priority
which means you can ignore them. However, if an alert deviates from this
“normal” behavior of your system, SFS will assign it a higher
priority level for your attention. Hence, you will be able to detect any
suspicious behavior from within and from the outside.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'>You can download SFS for FREE at <a
href="http://www.securimine.com/download.html"><span style='mso-bidi-font-family:
Arial'>www.securimine.com/download.html</span></a><o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'>Orit Vidas<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'><a href="http://www.securimine.com/"><span
style='mso-bidi-font-family:Arial'>www.securimine.com</span></a><o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=blue face=Verdana><span style='font-size:
10.0pt;font-family:Verdana;color:blue'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 color=blue face=Verdana><span style='font-size:
10.0pt;font-family:Verdana;color:blue'><o:p> </o:p></span></font></p>

<div>

<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b>
snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] <b><span style='font-weight:
bold'>On Behalf Of </span></b>Esler, Joel - Contractor<br>
<b><span style='font-weight:bold'>Sent:</span></b> </span></font><st1:date
Month="11" Day="30" Year="2004"><font size=2 face=Tahoma><span
 style='font-size:10.0pt;font-family:Tahoma'>Tuesday, November 30, 2004</span></font></st1:date><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> </span></font><st1:time
Hour="11" Minute="29"><font size=2 face=Tahoma><span style='font-size:10.0pt;
 font-family:Tahoma'>11:29 AM</span></font></st1:time><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'><br>
<b><span style='font-weight:bold'>To:</span></b> RKejariwal@...12730...; </span></font><st1:PersonName><font
 size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>snort-users@lists.sourceforge.net</span></font></st1:PersonName><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'><br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: [Snort-users] netbios
rules question</span></font><o:p></o:p></p>

</div>

<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'><o:p> </o:p></span></font></p>

<div>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>I would most likely say
that these are information signatures.  They aren't false positive, but if
you do alot of drive/network shares and stuff like that, you're going to see
that kind of thing.</span></font><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> <o:p></o:p></span></font></p>

</div>

<div>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>Joel</span></font><o:p></o:p></p>

</div>

<blockquote style='margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>

<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
12.0pt;margin-left:.5in'><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b>
snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] <b><span style='font-weight:
bold'>On Behalf Of </span></b>RKejariwal@...12730...<br>
<b><span style='font-weight:bold'>Sent:</span></b> </span></font><st1:date
Month="11" Day="30" Year="2004"><font size=2 face=Tahoma><span
 style='font-size:10.0pt;font-family:Tahoma'>Tuesday, November 30, 2004</span></font></st1:date><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> </span></font><st1:time
Hour="14" Minute="13"><font size=2 face=Tahoma><span style='font-size:10.0pt;
 font-family:Tahoma'>2:13 PM</span></font></st1:time><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'><br>
<b><span style='font-weight:bold'>To:</span></b>
snort-users@lists.sourceforge.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> [Snort-users] netbios
rules question</span></font><o:p></o:p></p>

<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'><br>
</span></font><font size=2 face=Arial><span style='font-size:10.0pt;font-family:
Arial'>Hi All</span></font> <br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>I had
a question regarding netbios rules. Lately I have been receiving a lot of the
alerts as shown below where A.A.A.A and B.B.B.B are all internal hosts to my
network. In addition B.B.B.B is the IP address of our domain controller.
 Is this merely false positiive or something i should be concerned about.
How do I go abt troubleshooting further to see what exactly is happenig. Any
help will be appreciated</span></font> <br>
<br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Thanks</span></font>
<br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Ravi</span></font>
<br>
<br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>[**]
[1:2466:4] NETBIOS SMB-DS IPC$ share unicode access [**]</span></font> <br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>[Classification:
Generic Protocol Command Decode] [Priority: 3] </span></font><br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>11/30-14:05:00.173386
A.A.A.A:1105 -> B.B.B.B:139</span></font> <br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>TCP
TTL:128 TOS:0x0 ID:22636 IpLen:20 DgmLen:128 DF</span></font> <br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>***AP***
Seq: 0xD1482D9A  Ack: 0x4A54B89D  Win: 0xFFFF  TcpLen: 20</span></font>
<br>
<br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>[**]
[1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username overflow
attempt [**]</span></font> <br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>[Classification:
Attempted Administrator Privilege Gain] [Priority: 1] </span></font><br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>11/30-14:05:00.163386
 A.A.A.A:1105 -> B.B.B.B:445</span></font> <br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>TCP
TTL:128 TOS:0x0 ID:22635 IpLen:20 DgmLen:1440 DF</span></font> <br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>***AP***
Seq: 0xD1482822  Ack: 0x4A54B769  Win: 0xFAB7  TcpLen: 20</span></font>
<br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>[Xref
=> http://www.eeye.com/html/research/advisories/ad20040226.html][Xref =>
http://www.securityfocus.com/bid/9752]</span></font> <br>
<br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material.
 Any review, retransmission, dissemination or other use of, or taking of
any action in reliance upon, this information by persons or entities other than
the intended recipient is prohibited.   If you received this in error,
please contact the sender and delete the material from any computer.</span></font><o:p></o:p></p>

</blockquote>

</div>

</body>

</html>
<BR>

<P><FONT SIZE=2>---<BR>
Incoming mail is certified Virus Free.<BR>
Checked by AVG anti-virus system (http://www.grisoft.com).<BR>
Version: 6.0.799 / Virus Database: 543 - Release Date: 11/19/2004<BR>
</FONT> </P><BR>

<P><FONT SIZE=2>---<BR>
Outgoing mail is certified Virus Free.<BR>
Checked by AVG anti-virus system (http://www.grisoft.com).<BR>
Version: 6.0.799 / Virus Database: 543 - Release Date: 11/19/2004<BR>
</FONT> </P>