Snort mailing list archives
RE: NETBIOS SMB winreg access (unicode)
From: "Perrymon, Josh L." <PerrymonJ () bek com>
Date: Wed, 14 Apr 2004 13:30:12 -0500
So this looks like valid traffic....? So I should move the rule to local? JP -----Original Message----- From: larosa, vjay [mailto:larosa_vjay () emc com] Sent: Wednesday, April 14, 2004 1:28 PM To: 'Perrymon, Josh L.'; 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] NETBIOS SMB winreg access (unicode) This server is testing to see if it can remotely access the registry over the network. If winreg can be remotely accessed then the requesting server will have access across the network to view/modify the registry remotely. vjl -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Perrymon, Josh L. Sent: Wednesday, April 14, 2004 1:40 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] NETBIOS SMB winreg access (unicode) I see a lot of NETBIOS SMB winreg access (unicode) alerts on my Frame side. Does anyone else see this on their network. I have 28,000 hits in 3 days from a proxy server going to 50 destinations on my network. payload: length = 104 000 : 00 00 00 64 FF 53 4D 42 A2 00 00 00 00 18 07 C8 ...d.SMB........ 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 28 14 04 .............(.. 020 : 01 48 42 EB 18 FF 00 DE DE 00 0E 00 16 00 00 00 .HB............. 030 : 00 00 00 00 9F 01 02 00 00 00 00 00 00 00 00 00 ................ 040 : 00 00 00 00 03 00 00 00 01 00 00 00 40 00 00 00 ............@... 050 : 02 00 00 00 03 11 00 00 5C 00 77 00 69 00 6E 00 ........\.w.i.n. 060 : 72 00 65 00 67 00 00 00 r.e.g... Does this look normal? JP ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NETBIOS SMB winreg access (unicode) Perrymon, Josh L. (Apr 14)
- <Possible follow-ups>
- RE: NETBIOS SMB winreg access (unicode) Perrymon, Josh L. (Apr 14)
- RE: NETBIOS SMB winreg access (unicode) larosa, vjay (Apr 14)