Security Incidents mailing list archives
RE: spoolss overflow attempt: unknow threat or false alert ?
From: "Buozis, Martynas" <martynas () ti com>
Date: Fri, 8 Sep 2006 14:44:30 +0200
Joel I did before writing to this list. Text is here http://www.snort.org/pub-bin/sigs.cgi?sid=4421. There are no false negatives, attack is easy, and impact is serious. I would ignore this, but packets are being sent persistently - I get thousands of events logged by snort. Amount of workstations, that send packets, is increasing. Workstations are sending packets to servers in different networks and domains. Why workstation in different subnet and different domain shall send this kind of AddPrinterEx’es to server, that has nothing common with its setup and run? I have more question than answers behind this activity and this is the reason why I am asking about this in mailing list. Even without risk indicated by SNORT I would raise a question why Windows workstations shall send packets in huge amount like this to servers that serve completely different networks and domains? Most of these servers are not any kind of browsing masters, so why AddPrinter shall be sent to these? With best regards Martynas ________________________________________ From: Joel Esler [mailto:eslerj () gmail com] Sent: Friday, September 08, 2006 2:12 PM To: Buozis, Martynas Cc: incidents () securityfocus com Subject: Re: spoolss overflow attempt: unknow threat or false alert ? As with any alert in Snort, make sure you read the rule documentation that is included with the rules. Or check the rule on the snort.org site by typing in the sid number on the left of the site. Joel BTW -- Snort is not in all caps :) On 9/7/06, Buozis, Martynas <martynas () ti com> wrote: Hello I see many packets coming from various hosts to few servers (both clients and servers are inside Intranet) that are identified by SNORT as NETBIOS SMB spoolss AddPrinterEx unicode little endian overflow attempt. I checked source hosts with AV and spyware software but found nothing, while these packets continue to flow persistently in large amounts. Is it some false positive by SNORT or is it an unknown security threat (trojan/worm/virus) behind this activity? Is this packet really complies signature of real hacking attempt? Can somebody tell me what real threat is in typical packet, if any? What can be real risk behind these packages ? Typical packet payload look following: 000 : 00 00 02 52 FF 53 4D 42 25 00 00 00 00 18 03 80 ...R.SMB%....... 010 : D1 80 00 00 00 00 00 00 00 00 00 00 01 00 00 98 ................ 020 : 64 00 C0 00 10 00 00 FE 01 00 00 00 04 00 00 00 d............... 030 : 00 00 00 00 00 00 00 00 00 54 00 FE 01 54 00 02 .........T...T.. 040 : 00 26 00 61 73 0F 02 5C 5C 00 50 00 49 00 50 00 .&.as..\\.P.I.P. 050 : 45 00 5C 00 00 00 00 5C 05 00 00 03 10 00 00 00 E.\....\........ 060 : FE 01 00 00 01 00 00 00 E6 01 00 00 00 00 46 00 ..............F. 070 : 98 FE 2D 03 0A 00 00 00 00 00 00 00 0A 00 00 00 ..-............. 080 : 5C 00 5C 00 46 00 46 00 41 00 42 00 53 00 4D 00 \.\.F.F.A.B.S.M. 090 : 42 00 00 00 01 00 00 00 01 00 00 00 50 FE 2D 03 B...........P.-. 0a0 : 18 08 00 00 E4 F5 2D 03 24 FC 2D 03 58 F1 CA 02 ......-.$.-.X... 0b0 : 51 00 00 00 00 00 00 00 51 00 00 00 5C 00 5C 00 Q.......Q...\.\. 0c0 : 4F 00 4E 00 59 00 58 00 5C 00 77 00 66 00 72 00 O.N.Y.X.\.w.f.r. 0d0 : 73 00 74 00 6B 00 31 00 2C 00 48 00 50 00 20 00 s.t.k.1.,.H.P. . 0e0 : 4C 00 61 00 73 00 65 00 72 00 4A 00 65 00 74 00 L.a.s.e.r.J.e.t. 0f0 : 20 00 34 00 30 00 35 00 30 00 20 00 53 00 65 00 .4.0.5.0. .S.e. 100 : 72 00 69 00 65 00 73 00 20 00 50 00 53 00 2C 00 r.i.e.s. .P.S.,. 110 : 42 00 6C 00 64 00 67 00 2E 00 20 00 33 00 20 00 B.l.d.g... .3. . 120 : 53 00 2E 00 20 00 50 00 72 00 6F 00 62 00 65 00 S... .P.r.o.b.e. 130 : 20 00 6E 00 65 00 78 00 74 00 20 00 74 00 6F 00 .n.e.x.t. .t.o. 140 : 20 00 74 00 68 00 65 00 20 00 4F 00 6C 00 69 00 .t.h.e. .O.l.i. 150 : 20 00 49 00 6E 00 6B 00 65 00 72 00 00 00 72 00 .I.n.k.e.r...r. 160 : 0F 00 00 00 00 00 00 00 0F 00 00 00 5C 00 5C 00 ............\.\. 170 : 4F 00 4E 00 59 00 58 00 5C 00 77 00 66 00 72 00 O.N.Y.X.\.w.f.r. 180 : 73 00 74 00 6B 00 31 00 00 00 31 00 2D 00 00 00 s.t.k.1...1.-... 190 : 00 00 00 00 2D 00 00 00 48 00 50 00 20 00 4C 00 ....-...H.P. .L. 1a0 : 4A 00 34 00 30 00 35 00 30 00 20 00 2D 00 20 00 J.4.0.5.0. .-. . 1b0 : 32 00 34 00 4D 00 62 00 20 00 72 00 61 00 6D 00 2.4.M.b. .r.a.m. 1c0 : 20 00 2D 00 20 00 41 00 6C 00 73 00 6F 00 20 00 .-. .A.l.s.o. . 1d0 : 61 00 20 00 44 00 41 00 5A 00 45 00 4C 00 20 00 a. .D.A.Z.E.L. . 1e0 : 2D 00 20 00 4E 00 54 00 53 00 4E 00 35 00 41 00 -. .N.T.S.N.5.A. 1f0 : 00 00 41 00 00 00 00 00 00 00 00 00 00 00 00 00 ..A............. 200 : 00 00 00 00 01 00 00 00 01 00 00 00 1C F5 2D 03 ..............-. 210 : 1C 00 00 00 70 03 C7 02 10 F3 2D 03 65 05 00 00 ....p.....-.e... 220 : 02 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 ................ 230 : 00 00 00 00 07 00 00 00 5C 00 5C 00 4F 00 4E 00 ........\.\.O.N. 240 : 59 00 58 00 00 00 58 00 01 00 00 00 00 00 00 00 Y.X...X......... 250 : 01 00 00 00 00 00 ...... Martynas ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------ -- --Joel Esler ISC Incident Handler http://www.incidents.org ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- spoolss overflow attempt: unknow threat or false alert ? Buozis, Martynas (Sep 07)
- Re: spoolss overflow attempt: unknow threat or false alert ? mark Hoffman (Sep 08)
- RE: spoolss overflow attempt: unknow threat or false alert ? Buozis, Martynas (Sep 08)
- Re: spoolss overflow attempt: unknow threat or false alert ? Emanuele Rocca (Sep 08)
- Re: spoolss overflow attempt: unknow threat or false alert ? Jonathan Nichols (Sep 11)
- <Possible follow-ups>
- RE: spoolss overflow attempt: unknow threat or false alert ? Buozis, Martynas (Sep 08)
- Re: spoolss overflow attempt: unknow threat or false alert ? Sûnnet Beskerming (Sep 11)
- Re: spoolss overflow attempt: unknow threat or false alert ? mark Hoffman (Sep 08)