[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] NETBIOS SMB IPC$ share unicode access (snort)

To: kquest@xxxxxxxxxxxx
Subject: RE: [Full-Disclosure] NETBIOS SMB IPC$ share unicode access (snort)
From: Martin <nakal@xxxxxx>
Date: Wed, 15 Sep 2004 22:46:51 +0200

Am Mi, den 15.09.2004 schrieb kquest@xxxxxxxxxxxx um 22:08:

> I presume you have Snort running inside of your
> network, which means that you are going to see
> a lot of Microsoft networking traffic

Yes. That was my intention. I would like to detect
abnormal behavior inside our network (worms/virii).
I did expect access to shares on my network, but
I did not expect that 6 of 8 hosts are scanning
the network using SMB-protocol, even when noone
is using them. You will understand that such
behavior is suspicious to me.

> where
> IPC$ share access is a common thing. You need
> to make sure you have the $EXTERNAL_NET variable
> set properly, so you wouldn't get alarms for 
> local traffic.

Now I'm not so sure if snort really is that
what I wanted.

Thanks, I guess I will try my luck on
snort-sigs@xxxxxxxxxxxxxxxxxxxxx
as suggested by Dan.

Martin


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] NETBIOS SMB IPC$ share unicode access (snor t)
  - From: kquest

Prev by Date: RE: [Full-Disclosure] NETBIOS SMB IPC$ share unicode access (snor t)
Next by Date: Re: [Full-Disclosure] [Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulnerability
Previous by thread: RE: [Full-Disclosure] NETBIOS SMB IPC$ share unicode access (snor t)
Next by thread: [Full-Disclosure] Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access
Index(es):
- Date
- Thread