Full Disclosure mailing list archives
RE: NETBIOS SMB IPC$ share unicode access (snort)
From: Martin <nakal () web de>
Date: Wed, 15 Sep 2004 22:46:51 +0200
Am Mi, den 15.09.2004 schrieb kquest () toplayer com um 22:08:
I presume you have Snort running inside of your network, which means that you are going to see a lot of Microsoft networking traffic
Yes. That was my intention. I would like to detect abnormal behavior inside our network (worms/virii). I did expect access to shares on my network, but I did not expect that 6 of 8 hosts are scanning the network using SMB-protocol, even when noone is using them. You will understand that such behavior is suspicious to me.
where IPC$ share access is a common thing. You need to make sure you have the $EXTERNAL_NET variable set properly, so you wouldn't get alarms for local traffic.
Now I'm not so sure if snort really is that what I wanted. Thanks, I guess I will try my luck on snort-sigs () lists sourceforge net as suggested by Dan. Martin _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: NETBIOS SMB IPC$ share unicode access (snor t) kquest (Sep 15)
- RE: NETBIOS SMB IPC$ share unicode access (snort) Martin (Sep 15)