Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-sigs] FP for NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow atte

from [M. Shirk] Network Security [Permanent Link]
Subject: RE: [Snort-sigs] FP for NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt: sid
Date: Tue, 19 Oct 2004 15:07:46 -0400 
Question:

Are you posting this to the sigs list because you think they should be removed? Or are you asking the list about why the alerts are triggering??

Shirkdog


From: Russell Fulton <r.fulton@auckland.ac.nz>
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] FP for NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt: sid 2383
Date: Tue, 19 Oct 2004 13:11:51 +1300

I am seeing many (over a thousand a day) of these on our internal
network on sessions between well managed machines that I would expect to
be communicating on port 455.   A quick look at the data portion does
not appear malicious (no padding or other evidence of overflow attempt).

DATA (Ascii below)

0000015EFF534D427300

0000001807C800000000

00000000000000000000

FFFE000820000CFF005E

0104110A000000000000

00BC0000000000D40000

A023014E544C4D535350

0003000000180018007C

00000018001800940000

00120012004800000010

0010005A000000120012

006A00000010001000AC

000000158288E2050128

0A0000000F4A00410044

00520041004E004B0041

0054006A006100640072

0061006E006B0061004A

0041004400520041004E

004B0041005400C1B0DB

B0304BF1650000000000

00000000000000000000

00CD042F76B4B3AC6BB6

3B01139F4D8044D22803

41AFBE4C952487BF4509

FF82148771BBC3F1D11A

1B00570069006E006400

6F007700730020003200

30003000320020005300

65007200760069006300

65002000500061006300

6B002000320020003200

36003000300000005700

69006E0064006F007700

73002000320030003000

3200200035002E003100



...^.SMBs.

..........

..........

.... ....^

..........

..........

.#.NTLMSSP

.........|

..........

.....H....

...Z......

.j........

.........(

.....J.A.D

.R.A.N.K.A

.T.j.a.d.r

.a.n.k.a.J

.A.D.R.A.N

.K.A.T....

.0K.e.....

..........

.../v...k.

;...M.D.(.

A..L.$..E.

....q.....

..W.i.n.d.

o.w.s. .2.

0.0.2. .S.

e.r.v.i.c.

e. .P.a.c.

k. .2. .2.

6.0.0...W.

i.n.d.o.w.

s. .2.0.0.

2. .5...1.
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: [Snort-sigs] FP for NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt: sid, M. Shirk <=
Previous by Date:  RE: [Snort-sigs] EXPLOIT SSLv2 Client_Hello with pad Challenge Length overflow a, M. Shirk
Next by Date:  [Snort-sigs] Broken thresholding in 2923.1 and 2924.1?, nnposter
Previous by Thread:  RE: [Snort-sigs] EXPLOIT SSLv2 Client_Hello with pad Challenge Length overflow a, M. Shirk
Next by Thread:  [Snort-sigs] Broken thresholding in 2923.1 and 2924.1?, nnposter
Indexes:  [Date] [Thread] [Top] [All Lists]