Snort mailing list archives
Help with a particular alert
From: Paul Martin <pmartin () hgvc com>
Date: Fri, 17 Sep 2004 08:43:20 -0400
Ok, this is really bugging me. I've got 2 systems on our network that are continually spewing out something that's tripping this rule:
Sep 17 08:19:55 hgvsnort snort: [1:2382:13] NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt [Classification: Attempted Administrator
Privilege Gain] [Priority: 1]: {TCP} <IP address A>:2622 -> <IP address B>:139
I'm familiar with the ASN1 overflow attack, which is why I'm little
nervous that I'm seeing it on my network. Now, both <IP address A> and
<IP address B> are internal IPs. And <IP address B> is always one of 3
systems: both DNS servers, and a random client. They've got the most
current anti-virus and have been scanned for spyware. What is it that
I'm missing? Could it be a false positive? I don't really think it is,
but I'm open to suggestion at this point.
-- Paul Martin Network Technician Hilton Grand Vacations Co. (407) 393-3034 pmartin () hgvc com ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with a particular alert Paul Martin (Sep 17)
- Re: Help with a particular alert Scott Zawalski (Sep 20)
- Re: Help with a particular alert Paul Martin (Sep 20)
- <Possible follow-ups>
- RE: Help with a particular alert Esler, Joel - Contractor (Sep 17)
- Re: Help with a particular alert Scott Zawalski (Sep 20)