Snort mailing list archives

Previous By Date Next
Previous By Thread Next

false alarm or not ?

From: "Liuhy" <solar_liu () fescomail net>
Date: Tue, 29 Apr 2003 17:03:47 +0800
Hello everyone,

    I encountered a strange question. I will describe as following: 
    
    I have two computers, snort2.0 is installed on linux, which is configured as my firewall. The other computer 
installs Windows XP Pro. Now I have run snort on the firewall. I found that snort alerted as following every 6 minutes:

    [**] [1:466:1] ICMP L3retriever Ping [**]
    [Classification: Attempted Information Leak] [Priority: 2] 
    04/29-16:53:50.313874 172.32.100.100 -> 162.105.165.168
    ICMP TTL:32 TOS:0x0 ID:42625 IpLen:20 DgmLen:60
    Type:8  Code:0  ID:512   Seq:29440  ECHO
    [Xref => http://www.whitehats.com/info/IDS311]

    [**] [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [**]
    [Classification: Detection of a Denial of Service Attack] [Priority: 2] 
    04/29-16:53:54.836918 172.32.100.100:3916 -> 211.156.169.6:139
    TCP TTL:128 TOS:0x0 ID:42635 IpLen:20 DgmLen:162 DF
    ***AP*** Seq: 0xA7872F3A  Ack: 0x54CB2BFA  Win: 0xF775  TcpLen: 20
    [Xref => http://www.corest.com/common/showdoc.php?idx=262] 
    [Xref=>http://www.microsoft.com/technet/security/bulletin/MS02-045.asp][Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?
        name=CAN-2002-0724]

    I wondered if my computer is infected by viruses, or the packet that Windows system sent is normal, and snort false 
alarm. If it's the later, how can I deal with it?

Thanks in advance!
Liuhy
2003.4.29
Previous By Date Next
Previous By Thread Next

Current thread: