Snort mailing list archives

RE: Re: Noob

From: Brian Stamper <BStamper () spencerhospital org>
Date: Thu, 23 Dec 2004 15:06:21 -0600

Well below is almost exactly what I'm seeing in all of those packets.  I
understand this isn't the place for this really so if anyone has any ideas
of where I go to start looking into this sort of thing.

Sometimes there is an "A" behind the P and sometimes there is nothing at all
but other than that they are all the same.

length = 104

000 : 00 00 00 64 FF 53 4D 42 A2 00 00 00 00 18 07 C8   ...d.SMB........
010 : 00 00 00 00 00 00 00 00 00 00 00 00 06 A8 9C 07   ................
020 : 00 50 C1 1D 18 FF 00 DE DE 00 0E 00 16 00 00 00   .P..............
030 : 00 00 00 00 9F 01 02 00 00 00 00 00 00 00 00 00   ................
040 : 00 00 00 00 03 00 00 00 01 00 00 00 40 00 00 00   ............@...
050 : 02 00 00 00 03 11 00 00 5C 00 77 00 69 00 6E 00   ........\.w.i.n.
060 : 72 00 65 00 67 00 00 00                           r.e.g...

Thanks,
Brian

-----Original Message-----
From: Bob Konigsberg [mailto:bobkberg () networkeval com] 
Sent: Thursday, December 23, 2004 2:29 PM
To: 'Brian Stamper'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Re: Noob

I'm going off on somewhat of a tangent here, but I think it's useful.

Have you done any packet captures of the traffic that's tripping the alerts?

If you're using ACID, the packet data will be at the bottom of the display
for any given alert.

And of course Ethereal, tcpdump/windump are also your friends here.

Once you look at the type of traffic and characterize it as normal or not,
then you'll be in a better position to judge what's a threat.

As for the "random" port numbers from  the Citrix, the first thing I'd want
to know is how many users are logged into to it, and whether or not their
activity is in any way related to what you're seeing.

Bottom line is that you're going to have to do some serious learning about
the nature of traffic on your network, so that you can start applying the
rules in a way that makes sense for you.  What is normal on my network might
be harmful on yours and vice-versa.

Bob
 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Brian Stamper
Sent: Thursday, December 23, 2004 11:31 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Re: Noob

OK so I've got everything up and running well.  Just now put it on a
monitored port.  Let it go for 1 min and ended up with 159 alerts.  I've
edited the snort.conf and added my home network rather than any as well as
entered the IP's of my DNS/SMTP server variables.  

I have 10 unique alerts largest below:
75 - protocol-command-decode - NETBIOS SMB winreg Unicode access  Everything
in this group is headed from my Proxy/DNS server to either my Citrix Servers
or my Domain controller.  Orig. port is mostly
42385,1028,14146 and the dest. Port is always 139.  Any Ideas of what's
going on here causing all of these or is this just standard operating and
network traffic that I need to block out?

30 - protocol-command-decode - NETBIOS SMB IPC$ share Unicode access Again
most of this is coming form random ports on the Citrix servers headed for
port 139 on other servers and significant machines...almost looks like
normal traffic?

21 - attempted-admin - NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt This
comes from everywhere yet again is always destined for port 139 of some
significant machine?  

Again I'm running Snort 2.2.0 on a network w/ about 300 or so devices.  Does
this look normal to everyone and do I just need to block this type of stuff
so that it doesn't get logged as alerts or do you think it might actually be
a problem.

Thanks so much in advance.  
Brian


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Noob Brian Stamper (Dec 22)
- Re: Noob Tim Slighter (Dec 22)
- <Possible follow-ups>
- Re: Noob Brian Stamper (Dec 23)
  - RE: Re: Noob Bob Konigsberg (Dec 23)
  - Re: Re: Noob Brian Caswell (Dec 24)
- RE: Re: Noob Brian Stamper (Dec 23)
  - RE: Re: Noob Bob Konigsberg (Dec 23)
    - Re: Re: Noob J-H Johansen (Dec 23)
- RE: Re: Noob Brian Stamper (Dec 23)
  - RE: Re: Noob Frank Knobbe (Dec 23)
- RE: Re: Noob Brian Stamper (Dec 23)