[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] netbios rule question
From: RKejariwal () fiberlink ! com
Date: 2004-11-30 19:12:25
Message-ID: OFABB6AF8C.5B45FF1E-ON85256F5C.006913BE-85256F5C.006981EE () fiberlink ! com
[Download RAW message or body]
This is a multipart message in MIME format.
--=_alternative 006981E785256F5C_=
Content-Type: text/plain; charset="US-ASCII"
Hi All
I had a question regarding netbios rules. Lately I have been receiving a
lot of the alerts as shown below where A.A.A.A and B.B.B.B are all
internal hosts to my network. In addition B.B.B.B is the IP address of our
domain controller. Is this merely false positiive or something i should
be concerned about. How do I go abt troubleshooting further to see what
exactly is happenig. Any help will be appreciated
Thanks
Ravi
[**] [1:2466:4] NETBIOS SMB-DS IPC$ share unicode access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
11/30-14:05:00.173386 A.A.A.A:1105 -> B.B.B.B:139
TCP TTL:128 TOS:0x0 ID:22636 IpLen:20 DgmLen:128 DF
***AP*** Seq: 0xD1482D9A Ack: 0x4A54B89D Win: 0xFFFF TcpLen: 20
[**] [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
11/30-14:05:00.163386 A.A.A.A:1105 -> B.B.B.B:445
TCP TTL:128 TOS:0x0 ID:22635 IpLen:20 DgmLen:1440 DF
***AP*** Seq: 0xD1482822 Ack: 0x4A54B769 Win: 0xFAB7 TcpLen: 20
[Xref =>
http://www.eeye.com/html/research/advisories/ad20040226.html][Xref =>
http://www.securityfocus.com/bid/9752]
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you
received this in error, please contact the sender and delete the material
from any computer.
--=_alternative 006981E785256F5C_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">Hi All</font>
<br><font size=2 face="sans-serif">I had a question regarding netbios rules.
Lately I have been receiving a lot of the alerts as shown below where A.A.A.A
and B.B.B.B are all internal hosts to my network. In addition B.B.B.B is
the IP address of our domain controller. Is this merely false positiive
or something i should be concerned about. How do I go abt troubleshooting
further to see what exactly is happenig. Any help will be appreciated</font>
<br>
<br><font size=2 face="sans-serif">Thanks</font>
<br><font size=2 face="sans-serif">Ravi</font>
<br>
<br><font size=2 face="sans-serif">[**] [1:2466:4] NETBIOS SMB-DS IPC$
share unicode access [**]</font>
<br><font size=2 face="sans-serif">[Classification: Generic Protocol Command
Decode] [Priority: 3] </font>
<br><font size=2 face="sans-serif">11/30-14:05:00.173386 A.A.A.A:1105 ->
B.B.B.B:139</font>
<br><font size=2 face="sans-serif">TCP TTL:128 TOS:0x0 ID:22636 IpLen:20
DgmLen:128 DF</font>
<br><font size=2 face="sans-serif">***AP*** Seq: 0xD1482D9A Ack:
0x4A54B89D Win: 0xFFFF TcpLen: 20</font>
<br>
<br><font size=2 face="sans-serif">[**] [1:2404:5] NETBIOS SMB-DS Session
Setup AndX request unicode username overflow attempt [**]</font>
<br><font size=2 face="sans-serif">[Classification: Attempted Administrator
Privilege Gain] [Priority: 1] </font>
<br><font size=2 face="sans-serif">11/30-14:05:00.163386 A.A.A.A:1105
-> B.B.B.B:445</font>
<br><font size=2 face="sans-serif">TCP TTL:128 TOS:0x0 ID:22635 IpLen:20
DgmLen:1440 DF</font>
<br><font size=2 face="sans-serif">***AP*** Seq: 0xD1482822 Ack:
0x4A54B769 Win: 0xFAB7 TcpLen: 20</font>
<br><font size=2 face="sans-serif">[Xref => \
http://www.eeye.com/html/research/advisories/ad20040226.html][Xref => \
http://www.securityfocus.com/bid/9752]</font> <br><font size=2 face="sans-serif"><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking
of any action in reliance upon, this information by persons or entities
other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.</font>
--=_alternative 006981E785256F5C_=--
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic