| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: kquest at toplayer.com (kquest@...layer.com) Subject: NETBIOS SMB IPC$ share unicode access (snor t) This is simply a false positive (in your case). I presume you have Snort running inside of your network, which means that you are going to see a lot of Microsoft networking traffic where IPC$ share access is a common thing. You need to make sure you have the $EXTERNAL_NET variable set properly, so you wouldn't get alarms for local traffic. Kyle -----Original Message----- From: Martin [mailto:nakal@....de] Sent: Wednesday, September 15, 2004 3:20 PM To: full-disclosure@...ts.netsys.com Subject: [Full-Disclosure] NETBIOS SMB IPC$ share unicode access (snort) Hi, I'm a beginner with IDS-systems, so don't hurt me, pls. :) I hope this question is not off-topic. I have looked for answers everywhere. Maybe I've overlooked something. Here our scenario: On our network, we have 6 MS-Windows PCs which are constantly generating snort alerts of type (approx 30 minutes intervals each host, even when idle): Snort SID: 538 http://www.snort.org/snort-db/sid.html?sid=538 ArachNIDS: 334 http://www.digitaltrust.it/arachnids/IDS334/event.html These 6 PCs are 2 WinXP und 4 Windows 2000 computers. We have further 2 Windows 2000 PCs and 2 Windows 98 PCs and various Unix-based machines that don't show this behavior. Virus scanners with latest signatures don't show any infections. I don't see any strange things running in the process tables. I've been looking for internet worms showing this type of characteristics, but nothing seems to react like this. Here is the packet content which is causing such alert: Destination: 139/TCP 000 : 00 00 00 4E FF 53 4D 42 75 00 00 00 00 18 07 C8 ...N.SMBu....... 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................ 020 : 64 00 C0 00 04 FF 00 4E 00 08 00 01 00 23 00 00 d......N.....#.. 030 : 5C 00 5C 00 48 00 4F 00 53 00 54 00 41 00 41 00 \.\.H.O.S.T.A.A. 040 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F \.I.P.C.$...???? 050 : 3F 00 ?. (I've replaced my host name with HOSTAA here. The packet is exactly the same for every source host.) Could it be a false positive? If yes, I would like to know why 2 Windows 2000 PCs don't generate such alerts. Any ideas? Thanks in advance. Martin _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists