Security Incidents mailing list archives
Re: spoolss overflow attempt: unknow threat or false alert ?
From: Sûnnet Beskerming <info () beskerming com>
Date: Sat, 9 Sep 2006 22:42:37 +0930
Hi Martynas, A few questions -1 - What planned changes have happened to the network in recent weeks (SOE change, patches, permission changes)? 2 - When the workstations are rebooted, how long until the packets start up? Before the user logs in? 3 - Did the perimeter network security devices record any odd behaviour in the 24-48 hours prior to the first packets being flooded? 4 - Is there any odd network behaviour between workstations that are affected, and those that aren't? (If it is something sneaky, you might be lucky and catch it here)
If it is a sneaky attack targeting the alerted SNORT rule, then your systems are on their way to being hosed. Good Luck.
Sincerely, Carl Jongsma info () beskerming com Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: 0410 707 444 / 08 8283 1154 Sûnnet Beskerming Pty. Ltd.Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise advanced Information Security research. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed in house, provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.
------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- spoolss overflow attempt: unknow threat or false alert ? Buozis, Martynas (Sep 07)
- Re: spoolss overflow attempt: unknow threat or false alert ? mark Hoffman (Sep 08)
- RE: spoolss overflow attempt: unknow threat or false alert ? Buozis, Martynas (Sep 08)
- Re: spoolss overflow attempt: unknow threat or false alert ? Emanuele Rocca (Sep 08)
- Re: spoolss overflow attempt: unknow threat or false alert ? Jonathan Nichols (Sep 11)
- <Possible follow-ups>
- RE: spoolss overflow attempt: unknow threat or false alert ? Buozis, Martynas (Sep 08)
- Re: spoolss overflow attempt: unknow threat or false alert ? Sûnnet Beskerming (Sep 11)
- Re: spoolss overflow attempt: unknow threat or false alert ? mark Hoffman (Sep 08)