[Snort-users] Repeated NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt

Hello.
On a network I manage I'm getting a lot of the following messages:

Dec 29 12:00:00 mybdc snort: [1:2382:14] NETBIOS SMB DCERPC NTLMSSP asn1
overflow attempt [Classification: Attempted Administrator Privilege
Gain] [Priority: 1]: {TCP} 192.168.101.115:4269 -> 192.168.101.4:139


It started a few days ago, always from the same client IP (Windows 2000)
to the same server IP (Samba BDC) and every 10-15 seconds.

Given this, I suspect some not so nice process on the client side and,
while I believe this particular server can't be affected by this bug,
I'd still love to stop it.

I've captured one of such packets and here it is below. I really lack
the knowledge to analyse it in details, but I'd be happy if someone with
more experience can give me any suggestions.

bye & Thanks
av.

11:01:00.931765 myclient.xxxxxxxx.yy.3507 >
mybdc.xxxxxxxx.yy.netbios-ssn: P [tcp sum ok] 209:403(194) ack 95 win 65441
>>> NBT Packet
NBT Session Packet
Flags=0x0
Length=190 (0xbe)

SMB PACKET: SMBsesssetupX (REQUEST)
SMB Command = 0x73
Error class = 0x0
Error code = 0 (0x0)
Flags1 = 0x18
Flags2 = 0x7
Tree ID = 0 (0x0)
Proc ID = 65279 (0xfeff)
UID = 0 (0x0)
MID = 64 (0x40)
Word Count = 13 (0xd)
Com2=0x75
Res1=0x0
Off2=159 (0x9f)
MaxBuffer=16644 (0x4104)
MaxMpx=50 (0x32)
VcNumber=0 (0x0)
SessionKey=0x9347
CaseInsensitivePasswordLength=24 (0x18)
CaseSensitivePasswordLength=24 (0x18)
Res=0x0
Capabilities=0xD4
Pass1&Pass2&Account&Domain&OS&LanMan=
[000] C3 D5 24 4D 62 0F 5B B5 8D 66 66 0D BB 17 EE 01
\303\325$Mb\017[\265 \215ff\015\273\027\356\001
[010] DE 24 BA C8 36 C7 F4 1C 2D 43 CD 48 F7 3B FE 89
\336$\272\3106\307\364\034 -C\315H\367;\376\211
[020] 8E BB 9D 8A 05 84 45 00 02 25 05 C7 96 1A EA D5
\216\273\235\212\005\204E\000 \002%\005\307\226\032\352\325
[030] XX XX XX XX 00 XX XX XX XX XX XX XX XX 00 57 69 user\000MYD
OMAIN\000Wi
[040] 6E 64 6F 77 73 20 32 30 30 30 20 32 31 39 35 00 ndows 20 00 2195\000
[050] 57 69 6E 64 6F 77 73 20 32 30 30 30 20 35 2E 30 Windows 2000 5.0
[060] 00 00 \000\000

SMB PACKET: SMBtconX (REQUEST) (CHAINED)
smbvwv[]=
Com2=0xFF
Off2=190 (0xbe)
Flags=0x8
PassLen=1 (0x1)
Passwd&Path&Device=
PassLen=1 (0x1)
Passwd&Path&Device=
smb_bcc=20
smb_buf[]=
[000] 00 5C 5C XX XX XX XX XX 5C 49 50 43 24 00 3F 3F \000\\MYBDC
\IPC$\000??
[010] 3F 3F 3F 00 ???\000


(DF) (ttl 128, id 61947, len 234)
0x0000 4500 00ea f1fb 4000 8006 bc49 c0a8 6573 E.....@....I..es
0x0010 c0a8 6504 0db3 008b e351 0141 eba9 1cb4 ..e......Q.A....
0x0020 5018 ffa1 8b8f 0000 0000 00be ff53 4d42 P............SMB
0x0030 7300 0000 0018 0748 0000 0000 0000 0000 s......H........
0x0040 0000 0000 0000 fffe 0000 4000 0d75 009f ..........@..u..
0x0050 0004 4132 0000 0047 9300 0018 0018 0000 ..A2...G........
0x0060 0000 00d4 0000 0062 00c3 d524 4d62 0f5b .......b...$Mb.[
0x0070 b58d 6666 0dbb 17ee 01de 24ba c836 c7f4 ..ff......$..6..
0x0080 1c2d 43cd 48f7 3bfe 898e bb9d 8a05 8445 .-C.H.;........E
0x0090 0002 2505 c796 1aea d5XX XXXX XX00 XXXX ..%......user.MY
0x00a0 XXXX XXXX XXXX 0057 696e 646f 7773 2032 DOMAIN.Windows.2
0x00b0 3030 3020 3231 3935 0057 696e 646f 7773 000.2195.Windows
0x00c0 2032 3030 3020 352e 3000 0004 ff00 be00 .2000.5.0.......
0x00d0 0800 0100 1400 005c 5cXX XXXX XXXX 5c49 .......\\MYBDC\I
0x00e0 5043 2400 3f3f 3f3f 3f00 PC$.?????.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users