Snort mailing list archives

Re: netbios rules question

From: sekure <sekure () gmail com>
Date: Tue, 30 Nov 2004 14:30:36 -0500

well, NETBIOS SMB-DS IPC$ share unicode access is perfectly innocuos. 
Windows machines routinely connect to each-other's IPC shares
(Inter-processor Communications).  So I wouldn't worry about it too
much.  Others may disagree, but what I do with this rule is threashold
it so that i only alerts on machines that trigger this rule more than
5 times in 60 seconds.  I am hoping that if there is a worm or an
automatic exploit, this rule will help me catch it, while at the same
time suppressing the day to day regular communication.

The other alert has been generating a large number of false positives
for me, so I suppressed it.  If you look at the description it seems
to only affect ISS (NOT IIS) servers.

Good luck

On Tue, 30 Nov 2004 14:13:07 -0500, rkejariwal () fiberlink com
<rkejariwal () fiberlink com> wrote:


Hi All 
I had a question regarding netbios rules. Lately I have been receiving a lot
of the alerts as shown below where A.A.A.A and B.B.B.B are all internal
hosts to my network. In addition B.B.B.B is the IP address of our domain
controller.  Is this merely false positiive or something i should be
concerned about. How do I go abt troubleshooting further to see what exactly
is happenig. Any help will be appreciated 

Thanks 
Ravi 

[**] [1:2466:4] NETBIOS SMB-DS IPC$ share unicode access [**] 
[Classification: Generic Protocol Command Decode] [Priority: 3] 
11/30-14:05:00.173386 A.A.A.A:1105 -> B.B.B.B:139 
TCP TTL:128 TOS:0x0 ID:22636 IpLen:20 DgmLen:128 DF 
***AP*** Seq: 0xD1482D9A  Ack: 0x4A54B89D  Win: 0xFFFF  TcpLen: 20 

[**] [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
overflow attempt [**] 
[Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
11/30-14:05:00.163386  A.A.A.A:1105 -> B.B.B.B:445 
TCP TTL:128 TOS:0x0 ID:22635 IpLen:20 DgmLen:1440 DF 
***AP*** Seq: 0xD1482822  Ack: 0x4A54B769  Win: 0xFAB7  TcpLen: 20 
[Xref => http://www.eeye.com/html/research/advisories/ad20040226.html][Xref
=> http://www.securityfocus.com/bid/9752]



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

netbios rules question RKejariwal (Nov 30)
- Re: netbios rules question sekure (Nov 30)
- <Possible follow-ups>
- RE: netbios rules question Esler, Joel - Contractor (Nov 30)
- RE: netbios rules question Orit Vidas (Nov 30)
- RE: netbios rules question Orit Vidas (Dec 01)