Pravin,
Generally, if you're looking for help analyzing a sequence of alerts,
you'll want to ask specific questions about them -- like what they might
signify, whether they're false positives, whether you should be
concerned. You're likely to get a much better response by asking
specific questions than by just saying "help me with this."
That being noted, there's a couple of things I can tell you off the top
of my head that might help out. First off, are you using a current
version of Snort, and more importantly, a current rule pack? The current
alert string for this is "NETBIOS SMB IPC$ unicode share access".
Second, is 210.210.x.x actually external to your network, or are these
just hosts on a different segment of the network (i.e. at a different
campus on a university network)? If both 210.210.x.x and 202.144.x.x are
internal to your network, you need to properly set $HOME_NET and
$EXTERNAL_NET.
Finally, keep in mind that these are most likely relatively low-priority
alerts. All this signifies is that the default Windows share of IPC$ is
being accessed via an SMB client of some sort (either another Windows
box, Samba, or something along those lines); this can happen all the
time on networks with a decent number of Windows machines. Of course, it
can be a bad thing if you're not trying to share files across the
network, if you've got no Windows boxes, etc., but chances are it's not
an issue.
If this doesn't answer your questions and/or you need more information,
please respond with detailed questions and information relevant to the
question.
Alex Kirk
Research Analyst
Sourcefire, Inc.
Hi all,
Can any body help to analyse the below logs.
#0-(1-35184)
<https://ids.maa.sify.net/acid/acid_qry_alert.php?submit=%230-%281-35184%29>
NETBIOS SMB IPC$ unicode share access 2004-12-04 16:07:23
210.210.XX.XX
<https://ids.maa.sify.net/acid/acid_stat_ipaddr.php?ip=210.210.123.201&netmask=32>:1213
202.144.XX.XX:139 TCP
#1-(1-35192)
<https://ids.maa.sify.net/acid/acid_qry_alert.php?submit=%231-%281-35192%29>
NETBIOS SMB IPC$ unicode share access 2004-12-04
16:07:24 210.210.XX.XX
<https://ids.maa.sify.net/acid/acid_stat_ipaddr.php?ip=210.210.123.201&netmask=32>:1217
202.144.XX.XX:139 TCP
#2-(1-35198)
<https://ids.maa.sify.net/acid/acid_qry_alert.php?submit=%232-%281-35198%29>
NETBIOS SMB IPC$ unicode share access 2004-12-04
16:07:25 210.210.XX.XX
<https://ids.maa.sify.net/acid/acid_stat_ipaddr.php?ip=210.210.123.201&netmask=32>:1223
202.144.XX.XX:139 TCP
#3-(1-35206)
<https://ids.maa.sify.net/acid/acid_qry_alert.php?submit=%233-%281-35206%29>
NETBIOS SMB IPC$ unicode share access 2004-12-04
16:07:27 210.210.XX.XX
<https://ids.maa.sify.net/acid/acid_stat_ipaddr.php?ip=210.210.123.201&netmask=32>:1230
202.144.XX.XX:139 TCP
#4-(1-35213)
<https://ids.maa.sify.net/acid/acid_qry_alert.php?submit=%234-%281-35213%29>
NETBIOS SMB IPC$ unicode share access 2004-12-04
16:07:30 210.210.XX.XX
<https://ids.maa.sify.net/acid/acid_stat_ipaddr.php?ip=210.210.123.201&netmask=32>:1237
202.144.XX.XX:139 TCP
#5-(1-35219)
<https://ids.maa.sify.net/acid/acid_qry_alert.php?submit=%235-%281-35219%29>
NETBIOS SMB IPC$ unicode share access 2004-12-04
16:07:31 210.210.XX.XX
<https://ids.maa.sify.net/acid/acid_stat_ipaddr.php?ip=210.210.123.201&netmask=32>:1243
202.144.XX.XX:139 TCP
Thanks in Advance.
Rgds,
Pravin
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
