RE: [Snort-sigs] false positve for SID 2404 and SID 2466

["Joshua Berry" <jberry () PENSON COM>]

The Session Setup AndX alert is probably a false positive unless you are
running one of ISS' products.  

However, the IPC$ alert is a real alert it is just probably not
something you should be worried about as it came from an internal
machine.  Windows use the IPC$ share for all sorts of things associated
with the NetBIOS protocol which is enabled by default.  I would set this
alert to only fire if it is an internal machine connecting outbound or
an external machine connecting inbound but not for internal to internal
traffic.

-----Original Message-----
From: snort-sigs-admin () lists sourceforge net
[mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Stefan
Sabolowitsch
Sent: Tuesday, August 03, 2004 11:15 AM
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] false positve for SID 2404 and SID 2466

Hi List / NG

I have an amount of alarm reports with SID 2404(NETBIOS SMB Data Service
Session Setup AndX request unicode username overflow attempt)  and SID
2466(NETBIOS SMB-DS IPC$ share unicode access).
Why would this be alerting on traffic from a Windows XP Prof with MS
MSSQL
Enterprise Manager to a Windows XP Pro workstation
with MS MSSQL Database. The MSSQL Enterprise Manager use C$ for
communication.

What can I do so that I do not get this report anymore

Thanks for any aid / Tipps

Stefan


Info:
var EXTERNAL_NET any

Look here:
NETBIOS SMB-DS Session Setup AndX request unicode username overflow
attempt:

 length = 338

000 : 00 00 01 4E FF 53 4D 42 73 00 00 00 00 18 07 C8   ...N.SMBs.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE   ................
020 : 00 08 20 00 0C FF 00 4E 01 04 11 0A 00 00 00 00   .. ....N........
030 : 00 00 00 AC 00 00 00 00 00 D4 00 00 A0 13 01 4E   ...............N
040 : 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 6C   TLMSSP.........l
050 : 00 00 00 18 00 18 00 84 00 00 00 0E 00 0E 00 40   ...............@
060 : 00 00 00 12 00 12 00 4E 00 00 00 0C 00 0C 00 60   .......N.......`
070 : 00 00 00 10 00 10 00 9C 00 00 00 15 82 88 E0 46   ...............F
080 : 00 45 00 4C 00 54 00 45 00 4E 00 31 00 52 00 75   .E.L.T.E.N.1.R.u
090 : 00 65 00 64 00 69 00 67 00 65 00 72 00 47 00 44   .e.d.i.g.e.r.G.D
0a0 : 00 41 00 30 00 34 00 38 00 4C 00 94 9A EE 95 CF   .A.0.4.8.L......
0b0 : E3 74 71 00 00 00 00 00 00 00 00 00 00 00 00 00   .tq.............
0c0 : 00 00 00 AA 1B 5C 9D 03 B1 01 2B 91 1B DD 13 02   .....\....+.....
0d0 : 48 D6 0B 33 F7 72 FE 85 7B 45 C6 C7 08 D6 EB 6C   H..3.r..{E.....l
0e0 : D8 CB D0 AB 37 96 18 B4 8C 80 ED 00 57 00 69 00   ....7.......W.i.
0f0 : 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00   n.d.o.w.s. .2.0.
100 : 30 00 32 00 20 00 32 00 36 00 30 00 30 00 20 00   0.2. .2.6.0.0. .
110 : 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 00   S.e.r.v.i.c.e. .
120 : 50 00 61 00 63 00 6B 00 20 00 31 00 00 00 57 00   P.a.c.k. .1...W.
130 : 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00   i.n.d.o.w.s. .2.
140 : 30 00 30 00 32 00 20 00 35 00 2E 00 31 00 00 00   0.0.2. .5...1...
150 : 00 00                                             ..


and
NETBIOS SMB-DS IPC$ share unicode access:

length = 82

000 : 00 00 00 4E FF 53 4D 42 75 00 00 00 00 18 07 C8   ...N.SMBu.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE   ................
020 : 00 08 30 00 04 FF 00 4E 00 08 00 01 00 23 00 00   ..0....N.....#..
030 : 5C 00 5C 00 42 00 41 00 54 00 43 00 48 00 32 00   \.\.B.A.T.C.H.2.
040 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F   \.I.P.C.$...????
050 : 3F 00   



-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users