Snort mailing list archives
RE: [Snort-sigs] SID 2404, NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt
From: "Lance Boon" <lboon () firststatebanksw com>
Date: Thu, 24 Jun 2004 09:59:56 -0500
What would be the best way to get you that information? I'm using ACID so I could copy and paste the information of the payload area, but I'm thinking you'll probably want the whole packet information. Would snort -v -l /var/log/snort/dump get the information that you need? Or would the better way to do it be snort -c /etc/snort/snortlog.conf Then tell my output plugin to be "output log_tcpdump: /var/log/snort/dump/tcpdump.log" and comment out the rules except for 1 rule with SID 2404 in it? Sorry for being such a newbie at this so any help is greatly appreciated. Thanks -----Original Message----- From: Nigel Houghton [mailto:nigel () sourcefire com] Sent: Wednesday, June 23, 2004 1:32 PM To: Lance Boon Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] SID 2404, NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt On 0, Lance Boon <lboon () firststatebanksw com> allegedly wrote:
I've got a question on SID 2404 NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt. According to the Snort Signature Database it says that "This event is generated when an
attempt
is made to exploit a known vulnerability in ISS RealSecure and
BlackICE
products." Why would this be alerting on traffic from a Windows 2003 Server to a Windows XP Pro workstation, both patched to the latest service packs and hot fixes? I also have this alert triggering on traffic from Windows 2003 to Windows 2000 Pro machines as well. I
don't
have ISS RealSecure or BlackICE running on any of these systems.
Just because you don't use those pieces of software doesn't mean that you will never see traffic that might trip a rule or possibly exploit a condition if that software were to exist on your network. What you may have is a false positive condition occuring. What we need is more detail on what exactly is making the rule generate an event. i.e. packet data captures. ------------------------------------------------------------- Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team In an emergency situation involving two or more officers of equal rank, seniority will be granted to whichever officer can program a vcr. ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Snort-sigs] SID 2404, NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt Lance Boon (Jun 24)