Re: Noob

[Brian Stamper <BStamper () spencerhospital org>]

OK so I've got everything up and running well.  Just now put it on a
monitored port.  Let it go for 1 min and ended up with 159 alerts.  I've
edited the snort.conf and added my home network rather than any as well as
entered the IP's of my DNS/SMTP server variables.  

I have 10 unique alerts largest below:
75 - protocol-command-decode - NETBIOS SMB winreg Unicode access
 Everything in this group is headed from my Proxy/DNS server to either my
Citrix Servers or my Domain controller.  Orig. port is mostly
42385,1028,14146 and the dest. Port is always 139.  Any Ideas of what's
going on here causing all of these or is this just standard operating and
network traffic that I need to block out?

30 - protocol-command-decode - NETBIOS SMB IPC$ share Unicode access
Again most of this is coming form random ports on the Citrix servers headed
for port 139 on other servers and significant machines...almost looks like
normal traffic?

21 - attempted-admin - NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt
This comes from everywhere yet again is always destined for port 139 of some
significant machine?  

Again I'm running Snort 2.2.0 on a network w/ about 300 or so devices.  Does
this look normal to everyone and do I just need to block this type of stuff
so that it doesn't get logged as alerts or do you think it might actually be
a problem.

Thanks so much in advance.  
Brian


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users