Snort mailing list archives
Re: Noob
From: Brian Stamper <BStamper () spencerhospital org>
Date: Thu, 23 Dec 2004 13:31:11 -0600
OK so I've got everything up and running well. Just now put it on a monitored port. Let it go for 1 min and ended up with 159 alerts. I've edited the snort.conf and added my home network rather than any as well as entered the IP's of my DNS/SMTP server variables. I have 10 unique alerts largest below: 75 - protocol-command-decode - NETBIOS SMB winreg Unicode access Everything in this group is headed from my Proxy/DNS server to either my Citrix Servers or my Domain controller. Orig. port is mostly 42385,1028,14146 and the dest. Port is always 139. Any Ideas of what's going on here causing all of these or is this just standard operating and network traffic that I need to block out? 30 - protocol-command-decode - NETBIOS SMB IPC$ share Unicode access Again most of this is coming form random ports on the Citrix servers headed for port 139 on other servers and significant machines...almost looks like normal traffic? 21 - attempted-admin - NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt This comes from everywhere yet again is always destined for port 139 of some significant machine? Again I'm running Snort 2.2.0 on a network w/ about 300 or so devices. Does this look normal to everyone and do I just need to block this type of stuff so that it doesn't get logged as alerts or do you think it might actually be a problem. Thanks so much in advance. Brian ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Noob Brian Stamper (Dec 22)
- Re: Noob Tim Slighter (Dec 22)
- <Possible follow-ups>
- Re: Noob Brian Stamper (Dec 23)
- RE: Re: Noob Bob Konigsberg (Dec 23)
- Re: Re: Noob Brian Caswell (Dec 24)
- RE: Re: Noob Brian Stamper (Dec 23)
- RE: Re: Noob Bob Konigsberg (Dec 23)
- Re: Re: Noob J-H Johansen (Dec 23)
- RE: Re: Noob Bob Konigsberg (Dec 23)
- RE: Re: Noob Brian Stamper (Dec 23)
- RE: Re: Noob Frank Knobbe (Dec 23)
- RE: Re: Noob Brian Stamper (Dec 23)