NETBIOS SMB IPC$ share unicode access (snort)

[Martin <nakal () web de>]

Hi,

I'm a beginner with IDS-systems, so don't hurt me, pls. :)

I hope this question is not off-topic. I have looked
for answers everywhere. Maybe I've overlooked something.

Here our scenario:
On our network, we have 6 MS-Windows PCs which are constantly
generating snort alerts of type (approx 30 minutes intervals
each host, even when idle):

Snort SID: 538
http://www.snort.org/snort-db/sid.html?sid=538
ArachNIDS: 334
http://www.digitaltrust.it/arachnids/IDS334/event.html

These 6 PCs are 2 WinXP und 4 Windows 2000 computers.
We have further 2 Windows 2000 PCs and 2 Windows 98
PCs and various Unix-based machines that don't show
this behavior.

Virus scanners with latest signatures don't show any
infections. I don't see any strange things running
in the process tables. I've been looking for internet
worms showing this type of characteristics, but
nothing seems to react like this.

Here is the packet content which is causing such alert:

Destination: 139/TCP

000 : 00 00 00 4E FF 53 4D 42 75 00 00 00 00 18 07 C8   ...N.SMBu.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE   ................
020 : 64 00 C0 00 04 FF 00 4E 00 08 00 01 00 23 00 00   d......N.....#..
030 : 5C 00 5C 00 48 00 4F 00 53 00 54 00 41 00 41 00   \.\.H.O.S.T.A.A.
040 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F   \.I.P.C.$...????
050 : 3F 00                                             ?.

(I've replaced my host name with HOSTAA here. The packet
is exactly the same for every source host.)

Could it be a false positive? If yes, I would like
to know why 2 Windows 2000 PCs don't generate such
alerts.

Any ideas? Thanks in advance.

Martin


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html