Snort mailing list archives
Re: netbios rules question
From: sekure <sekure () gmail com>
Date: Tue, 30 Nov 2004 14:30:36 -0500
well, NETBIOS SMB-DS IPC$ share unicode access is perfectly innocuos. Windows machines routinely connect to each-other's IPC shares (Inter-processor Communications). So I wouldn't worry about it too much. Others may disagree, but what I do with this rule is threashold it so that i only alerts on machines that trigger this rule more than 5 times in 60 seconds. I am hoping that if there is a worm or an automatic exploit, this rule will help me catch it, while at the same time suppressing the day to day regular communication. The other alert has been generating a large number of false positives for me, so I suppressed it. If you look at the description it seems to only affect ISS (NOT IIS) servers. Good luck On Tue, 30 Nov 2004 14:13:07 -0500, rkejariwal () fiberlink com <rkejariwal () fiberlink com> wrote:
Hi All I had a question regarding netbios rules. Lately I have been receiving a lot of the alerts as shown below where A.A.A.A and B.B.B.B are all internal hosts to my network. In addition B.B.B.B is the IP address of our domain controller. Is this merely false positiive or something i should be concerned about. How do I go abt troubleshooting further to see what exactly is happenig. Any help will be appreciated Thanks Ravi [**] [1:2466:4] NETBIOS SMB-DS IPC$ share unicode access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] 11/30-14:05:00.173386 A.A.A.A:1105 -> B.B.B.B:139 TCP TTL:128 TOS:0x0 ID:22636 IpLen:20 DgmLen:128 DF ***AP*** Seq: 0xD1482D9A Ack: 0x4A54B89D Win: 0xFFFF TcpLen: 20 [**] [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 11/30-14:05:00.163386 A.A.A.A:1105 -> B.B.B.B:445 TCP TTL:128 TOS:0x0 ID:22635 IpLen:20 DgmLen:1440 DF ***AP*** Seq: 0xD1482822 Ack: 0x4A54B769 Win: 0xFAB7 TcpLen: 20 [Xref => http://www.eeye.com/html/research/advisories/ad20040226.html][Xref => http://www.securityfocus.com/bid/9752]
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- netbios rules question RKejariwal (Nov 30)
- Re: netbios rules question sekure (Nov 30)
- <Possible follow-ups>
- RE: netbios rules question Esler, Joel - Contractor (Nov 30)
- RE: netbios rules question Orit Vidas (Nov 30)
- RE: netbios rules question Orit Vidas (Dec 01)