Re: [Snort-users] Help with a particular alert

Yeah, that WOULD make sense, wouldn't it? =) Here's what I get from
ACID, under the "Payload" section:

length = 226

000 : 00 00 00 DE FF 53 4D 42 73 00 00 00 00 18 07 C8 .....SMBs.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................
020 : 00 00 40 00 0D 75 00 A8 00 04 11 32 00 00 00 00 ..@..u.....2....
030 : 00 00 00 01 00 00 00 00 00 00 00 D4 00 00 00 6B ...............k
040 : 00 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 ......W.i.n.d.o.
050 : 77 00 73 00 20 00 53 00 65 00 72 00 76 00 65 00 w.s. .S.e.r.v.e.
060 : 72 00 20 00 32 00 30 00 30 00 33 00 20 00 33 00 r. .2.0.0.3. .3.
070 : 37 00 39 00 30 00 00 00 00 00 57 00 69 00 6E 00 7.9.0.....W.i.n.
080 : 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 00 d.o.w.s. .S.e.r.
090 : 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 00 v.e.r. .2.0.0.3.
0a0 : 20 00 35 00 2E 00 32 00 00 00 00 00 04 FF 00 DE .5...2.........
0b0 : 00 08 00 01 00 2B 00 00 5C 00 5C 00 32 00 32 00 .....+..\.\.2.2.
0c0 : 36 00 30 00 36 00 33 00 32 00 2D 00 43 00 42 00 6.0.6.3.2.-.C.B.
0d0 : 5C 00 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F \.I.P.C.$...????
0e0 : 3F 00 ?.

To my untrained eye, it seems innocuous enough, like a Win2k3
announcement or something, but maybe someone else can decipher it better
for me. Thanks again.

Paul Martin
Network Technician
Hilton Grand Vacations Co.
(407) 393-3034
pmartin@hgvc.com



Scott Zawalski wrote:

> There is no way for us to tell if it is a false positive without
> actual packet data. Just X out the IPs and post it.
>
> Scott
>
>
> Paul Martin wrote:
>
>> Ok, this is really bugging me. I've got 2 systems on our network that
>> are continually spewing out something that's tripping this rule:
>>
>> Sep 17 08:19:55 hgvsnort snort: [1:2382:13] NETBIOS SMB DCERPC
>> NTLMSSP asn1 overflow attempt [Classification: Attempted
>> Administrator Privilege Gain] [Priority: 1]: {TCP} <IP address
>> A>:2622 -> <IP address B>:139
>>
>>
>> I'm familiar with the ASN1 overflow attack, which is why I'm little
>> nervous that I'm seeing it on my network. Now, both <IP address A>
>> and <IP address B> are internal IPs. And <IP address B> is always
>> one of 3 systems: both DNS servers, and a random client. They've got
>> the most current anti-virus and have been scanned for spyware. What
>> is it that I'm missing? Could it be a false positive? I don't
>> really think it is, but I'm open to suggestion at this point.
>>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

hi, I also have multiple "NETBIOS SMB DCERPC NTLMSSP asn1 overflow
attempt" Alerts (twice an hour). I cannot figure out if is a false
positive or not.
I am quite new to snort, so please excuse my newbeeness :-). I am
testing snort mostly to locate infected computers on my network.
My snort config is a standalone Win XP SP2. Snort is logging to a
MSSQL server located elsewhere (i know this sux, but no choice :-(
).The snort computer is connected to a switch (for the moment, I am
just testing for the moment). This means the packet was adressed to
the computer running snort. The suspicious computer belongs to
$EXTERNAL_NET and the snort_computer belongs to $HOME_NET.

NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt (snort id 2382)
suspicious_computer:1080->snort_computer:139
Here is the payload (Form ACID):
000 : 00 00 00 FE FF 53 4D 42 73 00 00 00 00 18 07 C8
......SMBs.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE
.................
020 : 00 08 20 00 0C FF 00 FE 00 04 11 0A 00 00 00 00 ..
..............
030 : 00 00 00 5D 00 00 00 00 00 D4 00 00 A0 C3 00 4E
....]...........N
040 : 54 4C 4D 53 53 50 00 03 00 00 00 01 00 01 00 4C
TLMSSP.........L
050 : 00 00 00 00 00 00 00 4D 00 00 00 00 00 00 00 40
........M.......@
060 : 00 00 00 00 00 00 00 40 00 00 00 0C 00 0C 00 40
........@.......@
070 : 00 00 00 10 00 10 00 4D 00 00 00 15 8A 88 E0 4
.............X....

Oftenly, the alert comes with a "NETBIOS SMB IPC$ share unicode
access" alert from the same computer.

NETBIOS SMB IPC$ share unicode access (snort id 538)
suspicious_computer:1120->snort_computer:139
Here is the pay load (Form ACID):
000 : 00 00 00 52 FF 53 4D 42 75 00 00 00 00 18 07 C8
....R.SMBu.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE
.................
020 : 00 08 30 00 04 FF 00 52 00 08 00 01 00 27 00 00
...0....R.....'..
030 : 5C 00 5C 00 58 00 50 00 2D 00 47 00 58 00 31 00
\.\.X.P.-.G.X.1.
040 : 2D 00 31 00 5C 00 49 00 50 00 43 00 24 00 00 00
-.1.\.I.P.C.$...
050 : 3F 3F 3F 3F 3F 00 ?????.
note : snort_computer is named XP-GX1-1

I suspect a virus or hacktool to run on the originating computer, but
i am still unshure. Can someone help me to analyse the packet content?