We have been experiencing a rising number of netbios type attacks from
on-campus hosts lately, and I'm curious if anyone else has seen this
also? The typical pattern is for a host to repeatedly trigger the
following three alerts:
"NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer unicode little
endian overflow attempt" http://www.snort.org/pub-bin/sigs.cgi?sid=5219
"NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX unicode little endian
overflow attempt" http://www.snort.org/pub-bin/sigs.cgi?sid=7241
"NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance
little endian attempt" http://www.snort.org/pub-bin/sigs.cgi?sid=9601
We typically go the safe route and forward the log to abuse and block
these hosts at our firewall, but I still have this nagging concern these
might be false positives. Has anyone else seen this activity, and if so
are you doing anything about it?
Joe
--
Joe Mesterhazy
UNIX Administrator, RHCE
MSU Department of Radiology
[log in to unmask]
115 Radiology Building
|