Full Disclosure mailing list archives
NETBIOS SMB IPC$ share unicode access (snort)
From: Martin <nakal () web de>
Date: Wed, 15 Sep 2004 21:20:04 +0200
Hi, I'm a beginner with IDS-systems, so don't hurt me, pls. :) I hope this question is not off-topic. I have looked for answers everywhere. Maybe I've overlooked something. Here our scenario: On our network, we have 6 MS-Windows PCs which are constantly generating snort alerts of type (approx 30 minutes intervals each host, even when idle): Snort SID: 538 http://www.snort.org/snort-db/sid.html?sid=538 ArachNIDS: 334 http://www.digitaltrust.it/arachnids/IDS334/event.html These 6 PCs are 2 WinXP und 4 Windows 2000 computers. We have further 2 Windows 2000 PCs and 2 Windows 98 PCs and various Unix-based machines that don't show this behavior. Virus scanners with latest signatures don't show any infections. I don't see any strange things running in the process tables. I've been looking for internet worms showing this type of characteristics, but nothing seems to react like this. Here is the packet content which is causing such alert: Destination: 139/TCP 000 : 00 00 00 4E FF 53 4D 42 75 00 00 00 00 18 07 C8 ...N.SMBu....... 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................ 020 : 64 00 C0 00 04 FF 00 4E 00 08 00 01 00 23 00 00 d......N.....#.. 030 : 5C 00 5C 00 48 00 4F 00 53 00 54 00 41 00 41 00 \.\.H.O.S.T.A.A. 040 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F \.I.P.C.$...???? 050 : 3F 00 ?. (I've replaced my host name with HOSTAA here. The packet is exactly the same for every source host.) Could it be a false positive? If yes, I would like to know why 2 Windows 2000 PCs don't generate such alerts. Any ideas? Thanks in advance. Martin _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- NETBIOS SMB IPC$ share unicode access (snort) Martin (Sep 15)