Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: NETBIOS SMB IPC$ share unicode access (snor t)

From: kquest () toplayer com
Date: Wed, 15 Sep 2004 16:08:55 -0400

This is simply a false positive (in your case).
I presume you have Snort running inside of your
network, which means that you are going to see
a lot of Microsoft networking traffic where
IPC$ share access is a common thing. You need
to make sure you have the $EXTERNAL_NET variable
set properly, so you wouldn't get alarms for 
local traffic.

Kyle

-----Original Message-----
From: Martin [mailto:nakal () web de]
Sent: Wednesday, September 15, 2004 3:20 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] NETBIOS SMB IPC$ share unicode access (snort)



Hi,

I'm a beginner with IDS-systems, so don't hurt me, pls. :)

I hope this question is not off-topic. I have looked
for answers everywhere. Maybe I've overlooked something.

Here our scenario:
On our network, we have 6 MS-Windows PCs which are constantly
generating snort alerts of type (approx 30 minutes intervals
each host, even when idle):

Snort SID: 538
http://www.snort.org/snort-db/sid.html?sid=538
ArachNIDS: 334
http://www.digitaltrust.it/arachnids/IDS334/event.html

These 6 PCs are 2 WinXP und 4 Windows 2000 computers.
We have further 2 Windows 2000 PCs and 2 Windows 98
PCs and various Unix-based machines that don't show
this behavior.

Virus scanners with latest signatures don't show any
infections. I don't see any strange things running
in the process tables. I've been looking for internet
worms showing this type of characteristics, but
nothing seems to react like this.

Here is the packet content which is causing such alert:

Destination: 139/TCP

000 : 00 00 00 4E FF 53 4D 42 75 00 00 00 00 18 07 C8   ...N.SMBu.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE   ................
020 : 64 00 C0 00 04 FF 00 4E 00 08 00 01 00 23 00 00   d......N.....#..
030 : 5C 00 5C 00 48 00 4F 00 53 00 54 00 41 00 41 00   \.\.H.O.S.T.A.A.
040 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F   \.I.P.C.$...????
050 : 3F 00                                             ?.

(I've replaced my host name with HOSTAA here. The packet
is exactly the same for every source host.)

Could it be a false positive? If yes, I would like
to know why 2 Windows 2000 PCs don't generate such
alerts.

Any ideas? Thanks in advance.

Martin


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: