Snort mailing list archives
I don't understand this snort alert, "NETBIOS SMB IPC$ share unicode ....{ICMP}"
From: "L HR" <linger_on () hotmail com>
Date: Tue, 01 Jun 2004 17:48:11 +0900
Snort version: 2.11 Snor rule date: 05/10/2004 OS: Winodws 2K Found several strange alerts. -------------------------- 05/10-20:27:03.189495 [**] [1:538:8] NETBIOS SMB IPC$ share unicode access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {ICMP} 64.124.11.138 -> 192.168.93.6 -------------------------- I think that the protocol don't match the message. If the protocol really is ICMP, the message must be "Destination Unreachable...". If the message really is "NETBIOS SMP IPC$...", the protocol must be "TCP".
But the actual packet corresponding to the alert is "ICMP Destination Unreachable (Host unreachable." What's the problem. Do I think understand the snort rule wrongly? I'm poor at English. sorry. Thanx. the below information is about the raw packet ------ using ethereal ------------------------ Internet Protocol, Src Addr: 64.124.11.138 (64.124.11.138), Dst Addr: 192.168.93.6 (192.168.93.6) Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 1 (Host unreachable) Checksum: 0x5d5d (correct) Internet Protocol, Src Addr: 192.168.93.6 (192.168.93.6), Dst Addr: 16.121.143.254 (16.121.143.254) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 48 Identification: 0x05d0 (1488) Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 118 Protocol: TCP (0x06) Header checksum: 0x7fd2 (incorrect, should be 0x80d2) Source: 192.168.93.6 (192.168.93.6) Destination: 16.121.143.254 (16.121.143.254) Transmission Control Protocol, Src Port: 2271 (2271), Dst Port: 2745 (2745) Source port: 2271 (2271) Destination port: 2745 (2745) 0000 00 0c 29 24 05 54 00 50 56 c0 00 01 08 00 45 00 ..)$.T.PV.....E. 0010 00 38 34 6b 00 00 32 01 ea a5 40 7c 0b 8a c0 a8 .84k..2...@|.... 0020 5d 06 03 01 5d 5d 00 00 00 00 45 00 00 30 05 d0 ]...]]....E..0.. 0030 00 00 76 06 7f d2 c0 a8 5d 06 10 79 8f fe 08 df ..v.....]..y.... 0040 0a b9 af d9 dd 2f ...../ -------------------------------------------------
_________________________________________________________________행운의 주인공이 이번엔 나일꺼야, 진짜루... 인터넷 복권 http://www.msn.co.kr/money/interlotto/
------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10gGet certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- I don't understand this snort alert, "NETBIOS SMB IPC$ share unicode ....{ICMP}" L HR (Jun 01)