RE: NETBIOS SMB IPC$ share unicode access (snort)

[Martin <nakal () web de>]

Am Mi, den 15.09.2004 schrieb kquest () toplayer com um 22:08:

> I presume you have Snort running inside of your
> network, which means that you are going to see
> a lot of Microsoft networking traffic

Yes. That was my intention. I would like to detect
abnormal behavior inside our network (worms/virii).
I did expect access to shares on my network, but
I did not expect that 6 of 8 hosts are scanning
the network using SMB-protocol, even when noone
is using them. You will understand that such
behavior is suspicious to me.

> where
> IPC$ share access is a common thing. You need
> to make sure you have the $EXTERNAL_NET variable
> set properly, so you wouldn't get alarms for 
> local traffic.

Now I'm not so sure if snort really is that
what I wanted.

Thanks, I guess I will try my luck on
snort-sigs () lists sourceforge net
as suggested by Dan.

Martin


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html