Snort mailing list archives
RE: NETBIOS SMB winreg access (unicode)
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Wed, 14 Apr 2004 14:28:00 -0400
This server is testing to see if it can remotely access the registry over the network. If winreg can be remotely accessed then the requesting server will have access across the network to view/modify the registry remotely. vjl -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Perrymon, Josh L. Sent: Wednesday, April 14, 2004 1:40 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] NETBIOS SMB winreg access (unicode) I see a lot of NETBIOS SMB winreg access (unicode) alerts on my Frame side. Does anyone else see this on their network. I have 28,000 hits in 3 days from a proxy server going to 50 destinations on my network. payload: length = 104 000 : 00 00 00 64 FF 53 4D 42 A2 00 00 00 00 18 07 C8 ...d.SMB........ 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 28 14 04 .............(.. 020 : 01 48 42 EB 18 FF 00 DE DE 00 0E 00 16 00 00 00 .HB............. 030 : 00 00 00 00 9F 01 02 00 00 00 00 00 00 00 00 00 ................ 040 : 00 00 00 00 03 00 00 00 01 00 00 00 40 00 00 00 ............@... 050 : 02 00 00 00 03 11 00 00 5C 00 77 00 69 00 6E 00 ........\.w.i.n. 060 : 72 00 65 00 67 00 00 00 r.e.g... Does this look normal? JP ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NETBIOS SMB winreg access (unicode) Perrymon, Josh L. (Apr 14)
- <Possible follow-ups>
- RE: NETBIOS SMB winreg access (unicode) Perrymon, Josh L. (Apr 14)
- RE: NETBIOS SMB winreg access (unicode) larosa, vjay (Apr 14)