Full Disclosure mailing list archives
RE: NETBIOS SMB IPC$ share unicode access (snor t)
From: kquest () toplayer com
Date: Wed, 15 Sep 2004 16:08:55 -0400
This is simply a false positive (in your case). I presume you have Snort running inside of your network, which means that you are going to see a lot of Microsoft networking traffic where IPC$ share access is a common thing. You need to make sure you have the $EXTERNAL_NET variable set properly, so you wouldn't get alarms for local traffic. Kyle -----Original Message----- From: Martin [mailto:nakal () web de] Sent: Wednesday, September 15, 2004 3:20 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] NETBIOS SMB IPC$ share unicode access (snort) Hi, I'm a beginner with IDS-systems, so don't hurt me, pls. :) I hope this question is not off-topic. I have looked for answers everywhere. Maybe I've overlooked something. Here our scenario: On our network, we have 6 MS-Windows PCs which are constantly generating snort alerts of type (approx 30 minutes intervals each host, even when idle): Snort SID: 538 http://www.snort.org/snort-db/sid.html?sid=538 ArachNIDS: 334 http://www.digitaltrust.it/arachnids/IDS334/event.html These 6 PCs are 2 WinXP und 4 Windows 2000 computers. We have further 2 Windows 2000 PCs and 2 Windows 98 PCs and various Unix-based machines that don't show this behavior. Virus scanners with latest signatures don't show any infections. I don't see any strange things running in the process tables. I've been looking for internet worms showing this type of characteristics, but nothing seems to react like this. Here is the packet content which is causing such alert: Destination: 139/TCP 000 : 00 00 00 4E FF 53 4D 42 75 00 00 00 00 18 07 C8 ...N.SMBu....... 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................ 020 : 64 00 C0 00 04 FF 00 4E 00 08 00 01 00 23 00 00 d......N.....#.. 030 : 5C 00 5C 00 48 00 4F 00 53 00 54 00 41 00 41 00 \.\.H.O.S.T.A.A. 040 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F \.I.P.C.$...???? 050 : 3F 00 ?. (I've replaced my host name with HOSTAA here. The packet is exactly the same for every source host.) Could it be a false positive? If yes, I would like to know why 2 Windows 2000 PCs don't generate such alerts. Any ideas? Thanks in advance. Martin _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: NETBIOS SMB IPC$ share unicode access (snor t) kquest (Sep 15)
- RE: NETBIOS SMB IPC$ share unicode access (snort) Martin (Sep 15)