Snort mailing list archives

RE: [Snort-sigs] SID 2404, NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt

From: "Lance Boon" <lboon () firststatebanksw com>
Date: Thu, 24 Jun 2004 09:59:56 -0500

What would be the best way to get you that information? I'm using ACID
so I could copy and paste the information of the payload area, but I'm
thinking you'll probably want the whole packet information. Would snort
-v -l /var/log/snort/dump get the information that you need? Or would
the better way to do it be snort -c /etc/snort/snortlog.conf Then tell
my output plugin to be "output log_tcpdump:
/var/log/snort/dump/tcpdump.log"  and comment out the rules except for 1
rule with SID 2404 in it?  Sorry for being such a newbie at this so any
help is greatly appreciated.
Thanks

-----Original Message-----
From: Nigel Houghton [mailto:nigel () sourcefire com] 
Sent: Wednesday, June 23, 2004 1:32 PM
To: Lance Boon
Cc: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] SID 2404, NETBIOS SMB-DS Session Setup AndX
request unicode username overflow attempt

On  0, Lance Boon <lboon () firststatebanksw com> allegedly wrote:

I've got a question on SID 2404 NETBIOS SMB-DS Session Setup AndX
request unicode username overflow attempt. According to the Snort
Signature Database it says that "This event is generated when an

attempt

is made to exploit a known vulnerability in ISS RealSecure and

BlackICE

products." Why would this be alerting on traffic from a Windows 2003
Server to a Windows XP Pro workstation, both patched to the latest
service packs and hot fixes? I also have this alert triggering on
traffic from Windows 2003 to Windows 2000 Pro machines as well. I

don't

have ISS RealSecure or BlackICE running on any of these systems.


Just because you don't use those pieces of software doesn't mean that
you
will never see traffic that might trip a rule or possibly exploit a
condition if that software were to exist on your network. What you may
have is a false positive condition occuring. What we need is more detail
on what exactly is making the rule generate an event. i.e. packet data
captures.

-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: [Snort-sigs] SID 2404, NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt Lance Boon (Jun 24)