[Snort-users] RE: [Snort-sigs] false positve for SID 2404 and SID 2466
This is a discussion on [Snort-users] RE: [Snort-sigs] false positve for SID 2404 and SID 2466 within the Snort forums, part of the System Security and Security Related category; The Session Setup AndX alert is probably a false positive unless you are running one of ISS' products. =20 However, ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-03-2004
|
|||
|
|||
[Snort-users] RE: [Snort-sigs] false positve for SID 2404 and SID 2466
The Session Setup AndX alert is probably a false positive unless you are
running one of ISS' products. =20 However, the IPC$ alert is a real alert it is just probably not something you should be worried about as it came from an internal machine. Windows use the IPC$ share for all sorts of things associated with the NetBIOS protocol which is enabled by default. I would set this alert to only fire if it is an internal machine connecting outbound or an external machine connecting inbound but not for internal to internal traffic. -----Original Message----- From: snort-sigs-admin@lists.sourceforge.net [mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Stefan Sabolowitsch Sent: Tuesday, August 03, 2004 11:15 AM To: snort-sigs@lists.sourceforge.net Subject: [Snort-sigs] false positve for SID 2404 and SID 2466 Hi List / NG I have an amount of alarm reports with SID 2404(NETBIOS SMB Data Service Session Setup AndX request unicode username overflow attempt) and SID 2466(NETBIOS SMB-DS IPC$ share unicode access). Why would this be alerting on traffic from a Windows XP Prof with MS MSSQL Enterprise Manager to a Windows XP Pro workstation with MS MSSQL Database. The MSSQL Enterprise Manager use C$ for communication. What can I do so that I do not get this report anymore Thanks for any aid / Tipps Stefan Info: var EXTERNAL_NET any Look here: NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt: length =3D 338 000 : 00 00 01 4E FF 53 4D 42 73 00 00 00 00 18 07 C8 ...N.SMBs....... 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................ 020 : 00 08 20 00 0C FF 00 4E 01 04 11 0A 00 00 00 00 .. ....N........ 030 : 00 00 00 AC 00 00 00 00 00 D4 00 00 A0 13 01 4E ...............N 040 : 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 6C TLMSSP.........l 050 : 00 00 00 18 00 18 00 84 00 00 00 0E 00 0E 00 40 ...............@ 060 : 00 00 00 12 00 12 00 4E 00 00 00 0C 00 0C 00 60 .......N.......` 070 : 00 00 00 10 00 10 00 9C 00 00 00 15 82 88 E0 46 ...............F 080 : 00 45 00 4C 00 54 00 45 00 4E 00 31 00 52 00 75 .E.L.T.E.N.1.R.u 090 : 00 65 00 64 00 69 00 67 00 65 00 72 00 47 00 44 .e.d.i.g.e.r.G.D 0a0 : 00 41 00 30 00 34 00 38 00 4C 00 94 9A EE 95 CF .A.0.4.8.L...... 0b0 : E3 74 71 00 00 00 00 00 00 00 00 00 00 00 00 00 .tq............. 0c0 : 00 00 00 AA 1B 5C 9D 03 B1 01 2B 91 1B DD 13 02 .....\....+..... 0d0 : 48 D6 0B 33 F7 72 FE 85 7B 45 C6 C7 08 D6 EB 6C H..3.r..{E.....l 0e0 : D8 CB D0 AB 37 96 18 B4 8C 80 ED 00 57 00 69 00 ....7.......W.i. 0f0 : 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 n.d.o.w.s. .2.0. 100 : 30 00 32 00 20 00 32 00 36 00 30 00 30 00 20 00 0.2. .2.6.0.0. . 110 : 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 00 S.e.r.v.i.c.e. . 120 : 50 00 61 00 63 00 6B 00 20 00 31 00 00 00 57 00 P.a.c.k. .1...W. 130 : 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 i.n.d.o.w.s. .2. 140 : 30 00 30 00 32 00 20 00 35 00 2E 00 31 00 00 00 0.0.2. .5...1... 150 : 00 00 .. and NETBIOS SMB-DS IPC$ share unicode access: length =3D 82 000 : 00 00 00 4E FF 53 4D 42 75 00 00 00 00 18 07 C8 ...N.SMBu....... 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................ 020 : 00 08 30 00 04 FF 00 4E 00 08 00 01 00 23 00 00 ..0....N.....#.. 030 : 5C 00 5C 00 42 00 41 00 54 00 43 00 48 00 32 00 \.\.B.A.T.C.H.2. 040 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F \.I.P.C.$...???? 050 : 3F 00 =20 ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-sigs mailing list Snort-sigs@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
