Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] ISystemActivator Call_id 127 to port 1025 vs sid:2192 (port

from [Lee Clemens] Network Security [Permanent Link]
Subject: [Snort-sigs] ISystemActivator Call_id 127 to port 1025 vs sid:2192 (port 139) ?
Date: Wed, 9 Mar 2005 00:48:58 -0500 
I have been having difficulty with the NETBIOS SMB DCERPC ISystemActivator
bind attempt rule with sid:2192 (false negatives?).

I have noticed a large amount of traffic that seems extremely similar to
that which would trigger this rule (NETBIOS sid:2192), except that it is
destined for port 1025 instead of 139 (Win2K3). 

The 'attacks' are always from foreign machines I have no intention of
dealing with, and the most common attempt is DCERPC Bind: call_id: 127 UUID:
ISystemActivator, with a response from my DMZ machine of Provider rejection,
reason: Abstract syntax not supported.

I would greatly appreciate it if anyone could shed some light on the
difference between these Bind requests and those destined for port 139
(which the rule is designed for). I can only assume the packets I am seeing
are malicious in nature. (I usually get scanned by the same IP before or
shortly after the rejection of the bind request.)

I have made my own simple rule to log traffic $EXTERNAL_NET any -> $HOME_NET
1025 so that I can monitor this activity, but I am wondering why there is no
rule including port 1025 (Should I add port 1025 to the ISystemActivator
rules with port 139?).

I have included the packet bytes (call_id 127 UUID: ISystemActivator) minus
the layer 2 and 3 headers below.

0000  -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --   ----------------
0010  -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --   ----------------
0020  -- -- 09 48 04 01 9f 68 4b 99 6c dc dc 82 50 18   --.H...hK.l...P.
0030  fa f0 7e 1f 00 00 05 00 0b 03 10 00 00 00 48 00   ..~...........H.
0040  00 00 7f 00 00 00 d0 16 d0 16 00 00 00 00 01 00   ................
0050  00 00 01 00 01 00 a0 01 00 00 00 00 00 00 c0 00   ................
0060  00 00 00 00 00 46 00 00 00 00 04 5d 88 8a eb 1c   .....F.....]....
0070  c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00         ......+.H`....


Thanks for any help you can offer. Let me know if you need more information
in describing these events as well.

--Lee
snort@leeclemens.net




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] False positive with Win2K3 RESKIT tool against sid:2351, Brian Caswell
Next by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:  Re: [Snort-sigs] False positive with Win2K3 RESKIT tool against sid:2351, Brian Caswell
Next by Thread:  [Snort-sigs] Important Query, Rohit Khosla
Indexes:  [Date] [Thread] [Top] [All Lists]