 |
 |
We have been experiencing a rising number of netbios type attacks from on-campus hosts lately, and I'm curious if anyone else has seen this also? The typical pattern is for a host to repeatedly trigger the following three alerts: "NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer unicode little endian overflow attempt" http://www.snort.org/pub-bin/sigs.cgi?sid=5219 "NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX unicode little endian overflow attempt" http://www.snort.org/pub-bin/sigs.cgi?sid=7241 "NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance little endian attempt" http://www.snort.org/pub-bin/sigs.cgi?sid=9601 We typically go the safe route and forward the log to abuse and block these hosts at our firewall, but I still have this nagging concern these might be false positives. Has anyone else seen this activity, and if so are you doing anything about it? Joe -- Joe Mesterhazy UNIX Administrator, RHCE MSU Department of Radiology [log in to unmask] 115 Radiology Building