Snort mailing list archives

Previous By Date Next
Previous By Thread Next

EXPLOIT WINS overflow attempt FP

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 07 Dec 2004 09:30:46 +1300
We have an old NT4 domain controller that is continually triggering the "WINS overflow attempt" when it connects to remote *Active Directory* WINS servers (at least five different AD WINS servers). That is the only domain controller/WIN server/client causing this - the rule doesn't trigger between AD and AD WINS servers - just this one NT4 DC.
I have nice captures of the offending packet if anyone wants to have a look. But as they contain hostnames on our network - I'd prefer to e-mail them to individuals who can help instead of the mailing-list ;-)
These packets appear to contain lookups of MULTIPLE hosts - which isn't normal I think? Also, the Snort IDS we have closest to the NT4 server causing all these FPs *never* triggers an alert - only the remote (WAN) ones closest to the AD servers trigger. I am wondering if this is another case of Snort-2.2 "merging" multiple TCP streams together? These are all TCP WINS packets - not UDP... 

Snort-2.2 under RH Linux.
PS: I have already been told snort-2.3 contains some fixes in this area - I just sent this for confirmation. We're not running snort-2.3RC on our production environment yet - but this might be the push to do so. 

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: