lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1095276003.764.43.camel@klotz.local>
From: nakal at web.de (Martin)
Subject: NETBIOS SMB IPC$ share unicode access (snort)

Hi,

I'm a beginner with IDS-systems, so don't hurt me, pls. :)

I hope this question is not off-topic. I have looked
for answers everywhere. Maybe I've overlooked something.

Here our scenario:
On our network, we have 6 MS-Windows PCs which are constantly
generating snort alerts of type (approx 30 minutes intervals
each host, even when idle):

Snort SID: 538
http://www.snort.org/snort-db/sid.html?sid=538
ArachNIDS: 334
http://www.digitaltrust.it/arachnids/IDS334/event.html

These 6 PCs are 2 WinXP und 4 Windows 2000 computers.
We have further 2 Windows 2000 PCs and 2 Windows 98
PCs and various Unix-based machines that don't show
this behavior.

Virus scanners with latest signatures don't show any
infections. I don't see any strange things running
in the process tables. I've been looking for internet
worms showing this type of characteristics, but
nothing seems to react like this.

Here is the packet content which is causing such alert:

Destination: 139/TCP

000 : 00 00 00 4E FF 53 4D 42 75 00 00 00 00 18 07 C8   ...N.SMBu.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE   ................
020 : 64 00 C0 00 04 FF 00 4E 00 08 00 01 00 23 00 00   d......N.....#..
030 : 5C 00 5C 00 48 00 4F 00 53 00 54 00 41 00 41 00   \.\.H.O.S.T.A.A.
040 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F   \.I.P.C.$...????
050 : 3F 00                                             ?.

(I've replaced my host name with HOSTAA here. The packet
is exactly the same for every source host.)

Could it be a false positive? If yes, I would like
to know why 2 Windows 2000 PCs don't generate such
alerts.

Any ideas? Thanks in advance.

Martin



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ