Snort mailing list archives
RE: [Snort-sigs] false positve for SID 2404 and SID 2466
From: "Joshua Berry" <jberry () PENSON COM>
Date: Tue, 3 Aug 2004 13:11:42 -0500
The Session Setup AndX alert is probably a false positive unless you are running one of ISS' products. However, the IPC$ alert is a real alert it is just probably not something you should be worried about as it came from an internal machine. Windows use the IPC$ share for all sorts of things associated with the NetBIOS protocol which is enabled by default. I would set this alert to only fire if it is an internal machine connecting outbound or an external machine connecting inbound but not for internal to internal traffic. -----Original Message----- From: snort-sigs-admin () lists sourceforge net [mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Stefan Sabolowitsch Sent: Tuesday, August 03, 2004 11:15 AM To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] false positve for SID 2404 and SID 2466 Hi List / NG I have an amount of alarm reports with SID 2404(NETBIOS SMB Data Service Session Setup AndX request unicode username overflow attempt) and SID 2466(NETBIOS SMB-DS IPC$ share unicode access). Why would this be alerting on traffic from a Windows XP Prof with MS MSSQL Enterprise Manager to a Windows XP Pro workstation with MS MSSQL Database. The MSSQL Enterprise Manager use C$ for communication. What can I do so that I do not get this report anymore Thanks for any aid / Tipps Stefan Info: var EXTERNAL_NET any Look here: NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt: length = 338 000 : 00 00 01 4E FF 53 4D 42 73 00 00 00 00 18 07 C8 ...N.SMBs....... 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................ 020 : 00 08 20 00 0C FF 00 4E 01 04 11 0A 00 00 00 00 .. ....N........ 030 : 00 00 00 AC 00 00 00 00 00 D4 00 00 A0 13 01 4E ...............N 040 : 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 6C TLMSSP.........l 050 : 00 00 00 18 00 18 00 84 00 00 00 0E 00 0E 00 40 ...............@ 060 : 00 00 00 12 00 12 00 4E 00 00 00 0C 00 0C 00 60 .......N.......` 070 : 00 00 00 10 00 10 00 9C 00 00 00 15 82 88 E0 46 ...............F 080 : 00 45 00 4C 00 54 00 45 00 4E 00 31 00 52 00 75 .E.L.T.E.N.1.R.u 090 : 00 65 00 64 00 69 00 67 00 65 00 72 00 47 00 44 .e.d.i.g.e.r.G.D 0a0 : 00 41 00 30 00 34 00 38 00 4C 00 94 9A EE 95 CF .A.0.4.8.L...... 0b0 : E3 74 71 00 00 00 00 00 00 00 00 00 00 00 00 00 .tq............. 0c0 : 00 00 00 AA 1B 5C 9D 03 B1 01 2B 91 1B DD 13 02 .....\....+..... 0d0 : 48 D6 0B 33 F7 72 FE 85 7B 45 C6 C7 08 D6 EB 6C H..3.r..{E.....l 0e0 : D8 CB D0 AB 37 96 18 B4 8C 80 ED 00 57 00 69 00 ....7.......W.i. 0f0 : 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 n.d.o.w.s. .2.0. 100 : 30 00 32 00 20 00 32 00 36 00 30 00 30 00 20 00 0.2. .2.6.0.0. . 110 : 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 00 S.e.r.v.i.c.e. . 120 : 50 00 61 00 63 00 6B 00 20 00 31 00 00 00 57 00 P.a.c.k. .1...W. 130 : 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 i.n.d.o.w.s. .2. 140 : 30 00 30 00 32 00 20 00 35 00 2E 00 31 00 00 00 0.0.2. .5...1... 150 : 00 00 .. and NETBIOS SMB-DS IPC$ share unicode access: length = 82 000 : 00 00 00 4E FF 53 4D 42 75 00 00 00 00 18 07 C8 ...N.SMBu....... 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................ 020 : 00 08 30 00 04 FF 00 4E 00 08 00 01 00 23 00 00 ..0....N.....#.. 030 : 5C 00 5C 00 42 00 41 00 54 00 43 00 48 00 32 00 \.\.B.A.T.C.H.2. 040 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F \.I.P.C.$...???? 050 : 3F 00 ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Snort-sigs] false positve for SID 2404 and SID 2466 Joshua Berry (Aug 03)