RE: FP for NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt: sid

Question:

Are you posting this to the sigs list because you think they should be 
removed? Or are you asking the list about why the alerts are triggering??

Shirkdog


> From: Russell Fulton <r.fulton@xxxxxxxxxxxxxx>
> To: snort-sigs@xxxxxxxxxxxxxxxxxxxxx
> Subject: [Snort-sigs] FP for NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow 
> attempt: sid 2383
> Date: Tue, 19 Oct 2004 13:11:51 +1300
>
> I am seeing many (over a thousand a day) of these on our internal
> network on sessions between well managed machines that I would expect to
> be communicating on port 455.   A quick look at the data portion does
> not appear malicious (no padding or other evidence of overflow attempt).
>
> DATA (Ascii below)
>
> 0000015EFF534D427300
>
> 0000001807C800000000
>
> 00000000000000000000
>
> FFFE000820000CFF005E
>
> 0104110A000000000000
>
> 00BC0000000000D40000
>
> A023014E544C4D535350
>
> 0003000000180018007C
>
> 00000018001800940000
>
> 00120012004800000010
>
> 0010005A000000120012
>
> 006A00000010001000AC
>
> 000000158288E2050128
>
> 0A0000000F4A00410044
>
> 00520041004E004B0041
>
> 0054006A006100640072
>
> 0061006E006B0061004A
>
> 0041004400520041004E
>
> 004B0041005400C1B0DB
>
> B0304BF1650000000000
>
> 00000000000000000000
>
> 00CD042F76B4B3AC6BB6
>
> 3B01139F4D8044D22803
>
> 41AFBE4C952487BF4509
>
> FF82148771BBC3F1D11A
>
> 1B00570069006E006400
>
> 6F007700730020003200
>
> 30003000320020005300
>
> 65007200760069006300
>
> 65002000500061006300
>
> 6B002000320020003200
>
> 36003000300000005700
>
> 69006E0064006F007700
>
> 73002000320030003000
>
> 3200200035002E003100
>
>
>
> ...^.SMBs.
>
> ..........
>
> ..........
>
> .... ....^
>
> ..........
>
> ..........
>
> .#.NTLMSSP
>
> .........|
>
> ..........
>
> .....H....
>
> ...Z......
>
> .j........
>
> .........(
>
> .....J.A.D
>
> .R.A.N.K.A
>
> .T.j.a.d.r
>
> .a.n.k.a.J
>
> .A.D.R.A.N
>
> .K.A.T....
>
> .0K.e.....
>
> ..........
>
> .../v...k.
>
> ;...M.D.(.
>
> A..L.$..E.
>
> ....q.....
>
> ..W.i.n.d.
>
> o.w.s. .2.
>
> 0.0.2. .S.
>
> e.r.v.i.c.
>
> e. .P.a.c.
>
> k. .2. .2.
>
> 6.0.0...W.
>
> i.n.d.o.w.
>
> s. .2.0.0.
>
> 2. .5...1.
> --
> Russell Fulton, Information Security Officer, The University of Auckland
> New Zealand
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus voter tools and 
more! http://special.msn.com/msn/election2004.armx



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl