Snort mailing list archives
nimda rule interpretation
From: John Rodley <john.rodley () inc-networks com>
Date: Wed, 5 Dec 2001 12:27:30 -0500
I'm a new snort user managing a small corporate network. I need confirmation that my interpretation of this snort alert is correct. syslog entry: 12-05-2001 09:00:25 Auth.Alert a.a.a.a snort[588]: [1:1294:2] NETBIOS nimda .nws [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} a.b.c.d:4003 -> w.x.y.z:139 snort log entry: [**] NETBIOS nimda .nws [**] 12/05-08:28:37.632972 a.b.c.d:4003 -> w.x.y.z:139 TCP TTL:128 TOS:0x0 ID:48598 IpLen:20 DgmLen:636 DF ***AP*** Seq: 0xDF858CCB Ack: 0x48C607FC Win: 0x40A7 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ netbios.rule being triggered alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; content:"|00|N|00|W|00|S"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294; rev:2;) My interpretation of this is that a.b.c.d transmitted the string "NWS" over a connection from source port 4003 to destination port 139 on w.x.y.z. Would that be correct? Suspecting this is a false positive since both machines scan clean. John Rodley
Current thread:
- nimda rule interpretation John Rodley (Dec 05)
- Re: nimda rule interpretation Joe McAlerney (Dec 05)