[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <F6242D340921D5118D1E00508BB9837A07658033@tlnmail1.toplayer.com>
From: kquest at toplayer.com (kquest@...layer.com)
Subject: NETBIOS SMB IPC$ share unicode access (snor
t)
This is simply a false positive (in your case).
I presume you have Snort running inside of your
network, which means that you are going to see
a lot of Microsoft networking traffic where
IPC$ share access is a common thing. You need
to make sure you have the $EXTERNAL_NET variable
set properly, so you wouldn't get alarms for
local traffic.
Kyle
-----Original Message-----
From: Martin [mailto:nakal@....de]
Sent: Wednesday, September 15, 2004 3:20 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] NETBIOS SMB IPC$ share unicode access (snort)
Hi,
I'm a beginner with IDS-systems, so don't hurt me, pls. :)
I hope this question is not off-topic. I have looked
for answers everywhere. Maybe I've overlooked something.
Here our scenario:
On our network, we have 6 MS-Windows PCs which are constantly
generating snort alerts of type (approx 30 minutes intervals
each host, even when idle):
Snort SID: 538
http://www.snort.org/snort-db/sid.html?sid=538
ArachNIDS: 334
http://www.digitaltrust.it/arachnids/IDS334/event.html
These 6 PCs are 2 WinXP und 4 Windows 2000 computers.
We have further 2 Windows 2000 PCs and 2 Windows 98
PCs and various Unix-based machines that don't show
this behavior.
Virus scanners with latest signatures don't show any
infections. I don't see any strange things running
in the process tables. I've been looking for internet
worms showing this type of characteristics, but
nothing seems to react like this.
Here is the packet content which is causing such alert:
Destination: 139/TCP
000 : 00 00 00 4E FF 53 4D 42 75 00 00 00 00 18 07 C8 ...N.SMBu.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................
020 : 64 00 C0 00 04 FF 00 4E 00 08 00 01 00 23 00 00 d......N.....#..
030 : 5C 00 5C 00 48 00 4F 00 53 00 54 00 41 00 41 00 \.\.H.O.S.T.A.A.
040 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F \.I.P.C.$...????
050 : 3F 00 ?.
(I've replaced my host name with HOSTAA here. The packet
is exactly the same for every source host.)
Could it be a false positive? If yes, I would like
to know why 2 Windows 2000 PCs don't generate such
alerts.
Any ideas? Thanks in advance.
Martin
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists