lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: nakal at (Martin)
Subject: NETBIOS SMB IPC$ share unicode access (snort)

Am Mi, den 15.09.2004 schrieb um 22:08:

> I presume you have Snort running inside of your
> network, which means that you are going to see
> a lot of Microsoft networking traffic

Yes. That was my intention. I would like to detect
abnormal behavior inside our network (worms/virii).
I did expect access to shares on my network, but
I did not expect that 6 of 8 hosts are scanning
the network using SMB-protocol, even when noone
is using them. You will understand that such
behavior is suspicious to me.

> where
> IPC$ share access is a common thing. You need
> to make sure you have the $EXTERNAL_NET variable
> set properly, so you wouldn't get alarms for 
> local traffic.

Now I'm not so sure if snort really is that
what I wanted.

Thanks, I guess I will try my luck on
as suggested by Dan.


Powered by blists - more mailing lists