Snort mailing list archives
false alarm or not ?
From: "Liuhy" <solar_liu () fescomail net>
Date: Tue, 29 Apr 2003 17:03:47 +0800
Hello everyone, I encountered a strange question. I will describe as following: I have two computers, snort2.0 is installed on linux, which is configured as my firewall. The other computer installs Windows XP Pro. Now I have run snort on the firewall. I found that snort alerted as following every 6 minutes: [**] [1:466:1] ICMP L3retriever Ping [**] [Classification: Attempted Information Leak] [Priority: 2] 04/29-16:53:50.313874 172.32.100.100 -> 162.105.165.168 ICMP TTL:32 TOS:0x0 ID:42625 IpLen:20 DgmLen:60 Type:8 Code:0 ID:512 Seq:29440 ECHO [Xref => http://www.whitehats.com/info/IDS311] [**] [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [**] [Classification: Detection of a Denial of Service Attack] [Priority: 2] 04/29-16:53:54.836918 172.32.100.100:3916 -> 211.156.169.6:139 TCP TTL:128 TOS:0x0 ID:42635 IpLen:20 DgmLen:162 DF ***AP*** Seq: 0xA7872F3A Ack: 0x54CB2BFA Win: 0xF775 TcpLen: 20 [Xref => http://www.corest.com/common/showdoc.php?idx=262] [Xref=>http://www.microsoft.com/technet/security/bulletin/MS02-045.asp][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi? name=CAN-2002-0724] I wondered if my computer is infected by viruses, or the packet that Windows system sent is normal, and snort false alarm. If it's the later, how can I deal with it? Thanks in advance! Liuhy 2003.4.29
Current thread:
- false alarm or not ? Liuhy (Apr 29)