Hi All
I had a question regarding netbios rules. Lately I have been receiving a
lot of the alerts as shown below where A.A.A.A and B.B.B.B are all
internal hosts to my network. In addition B.B.B.B is the IP address of our
domain controller. Is this merely false positiive or something i should
be concerned about. How do I go abt troubleshooting further to see what
exactly is happenig. Any help will be appreciated
Thanks
Ravi
[**] [1:2466:4] NETBIOS SMB-DS IPC$ share unicode access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
11/30-14:05:00.173386 A.A.A.A:1105 -> B.B.B.B:139
TCP TTL:128 TOS:0x0 ID:22636 IpLen:20 DgmLen:128 DF
***AP*** Seq: 0xD1482D9A Ack: 0x4A54B89D Win: 0xFFFF TcpLen: 20
[**] [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
11/30-14:05:00.163386 A.A.A.A:1105 -> B.B.B.B:445
TCP TTL:128 TOS:0x0 ID:22635 IpLen:20 DgmLen:1440 DF
***AP*** Seq: 0xD1482822 Ack: 0x4A54B769 Win: 0xFAB7 TcpLen: 20
[Xref =>
http://www.eeye.com/html/research/advisories/ad20040226.html][Xref =>
http://www.securityfocus.com/bid/9752]
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you
received this in error, please contact the sender and delete the material
from any computer.
