Snort mailing list archives
Re: Strange Traffic Flow
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 14 Oct 2005 19:03:57 -0500
On Fri, 2005-10-14 at 07:02 -0700, Theodore Stout wrote:
It's claiming that one host is sending large ICMP packets to my DC, and the DC answers back with the same large ICMP packet. Why would that be?
That's normal. Google for "slow link detection domain controller".
The host starts the conversation with the server requesting "NETBIOS SMB-DS IPC$ unicode share access"
[...]
Then it takes a short while and either this machine does it again, or it's another machine trying. Does anyone know why this might be happening?
Depends on your network. I consider the Snort SMB signatures to be informational at best, especially the "share access" ones. You need to follow the motions though.... investigate, understand, tune. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Call for all Snort Projects Joel Esler (Oct 03)
- RE: [Snort-devel] Call for all Snort Projects Spiros Antonatos (Oct 10)
- Re: [Snort-devel] Call for all Snort Projects Alex Butcher, ISC/ISYS (Oct 11)
- Re: [Snort-devel] Call for all Snort Projects Jeff Nathan (Oct 12)
- Strange Traffic Flow Theodore Stout (Oct 14)
- Re: Strange Traffic Flow Frank Knobbe (Oct 14)
- Re: Strange Traffic Flow Jeff Kell (Oct 14)
- Re: Strange Traffic Flow Frank Knobbe (Oct 14)
- Re: [Snort-devel] Call for all Snort Projects Jeff Nathan (Oct 12)