Network Security: Detailed info on [Snort-sigs] FPs for NETBIOS DCERPC ISystemActivator path overflow attem

Subject:	[Snort-sigs] FPs for NETBIOS DCERPC ISystemActivator path overflow attempt little endian,Sig ID,3197
Date:	Tue, 22 Nov 2005 09:01:58 +1300

I am seeing thousands of hits on this rule between two machines that
appear to be legitimately talking.

Russell

META
--------
SID     CID     TimeStamp               Signature
2       1129152 2005-11-21 09:01:13     NETBIOS DCERPC ISystemActivator path
overflow attempt little endian
Sig ID
3197

Sensor Hostname                         Sensor Interface
monitor-tmk.insec.auckland.ac.nz        Tamaki sector switch

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.216.242.104 130.216.242.106 4       5
TOS     length  ID      flags   offset  TTL     chksum
0       1235    7147    2       0       128     61365

Resolved Source
desigo-ws3.wks.auckland.ac.nz

Resolved Dest
apogeesvr.wks.auckland.ac.nz

TCP
--------
Source Port     Dest Port       Seq             Ack             
3058            135             1919811077      2576312283
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               24      17520   44605           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                               

DATA
--------
05000B0310000000AB04    ..........
5B040C000000D016D016    [.........
669E0100010000000100    f.........
0100A001000000000000    ..........
C0000000000000460000    .......F..
0000045D888AEB1CC911    ...]......
9FE808002B1048600200    ....+.H`..
00001002000010640700    .......d..
6E82045730820453A003    n..W0..S..
020105A10302010EA207    ..........
03050020000000A38203    ... ......
7A6182037630820372A0    za..v0..r.
03020105A1141B12424D    ........BM
532E4155434B4C414E44    S.AUCKLAND
2E41432E4E5AA21D301B    .AC.NZ..0.
A003020102A11430121B    .......0..
0552504353531B094150    .RPCSS..AP
4F474545535652A38203    OGEESVR...
3430820330A003020117    40..0.....
A103020109A282032204    ........".
82031E621FA45C633FA1    ...b..\c?.
739CADFCE11B185871F1    s......Xq.
90F971940FF3BADC48D5    ..q.....H.
35DC7D3A64BE21587A55    5.}:d.!XzU
80D567290739F2F88430    ..g).9...0
E6E832E66457E9C0A24A    ..2.dW...J
64A54D8B36EA4ABBEA95    d.M.6.J...
8503A2D6C7F1A5EC5D56    ........]V
B3EDBB172162A1B3CDF9    ....!b....
EF9386B35C3530AE18D8    ....\50...
D0D495B211134EFA41B6    ......N.A.
CEC74A436495FD4B167A    ..JCd..K.z
24DB8BC4489EA2F83108    $...H...1.
AB4B1C606F5B623A8D12    .K.`o[b:..
5F4EBC74EAB0F50D654C    _N.t....eL
FE18B3A17FE16324337B    ......c$3{
22F0EC16E6BE5068A39E    ".....Ph..
346DDEE9DE3CFD3FBF2A    4m...<.?.*
A22339DE6091E0E8B551    .#9.`....Q
6DC7F992C63CFB35B08E    m....<.5..
6E65CB9330B10F8E91A2    ne..0.....
B58321570CE5F05955D3    ..!W...YU.
A9C515521C108FFA8DB7    ...R......
03873BBF821977D8DD2C    ..;...w..,
35692EA5BE233E491BAB    5i...#>I..
51B458DE4AA1A459CF11    Q.X.J..Y..
F88DCE89435655AF957F    ....CVU...
801F90F57012937AC2A8    ....p..z..
D654B9CD07BD7E5C521F    .T....~\R.
A604A7076EFCA9FA599F    ....n...Y.
F9E72505E385F2D86788    ..%.....g.
0828C56EC74884A897DD    .(.n.H....
2F8455F72B811DB89EE8    /.U.+.....
93FDFC9D29550735156C    ....)U.5.l
DB6FA12D087A2313E35C    .o.-.z#..\
342229D3C04FA7E34872    4")..O..Hr
EA702500D7E5B515A419    .p%.......
FF58D2AD1FE4A14996EC    .X.....I..
7CEBAB39453349EAE196    |..9E3I...
EA73AEE57724E8F5BDD2    .s..w$....
3C6811F2057085B5D9CA    <h...p....
7A10B608B5B543D8B4C3    z.....C...
39DBA70A7C68F35F3A25    9...|h._:%
AE8ADAF584F5B02074AF    ....... t.
287A58B1A0C1A4FACCB0    (zX.......
27D49AFA3FB2EFE42F53    '...?.../S
B3451297091DE1ECD333    .E.......3
76CFC9B06BFE1C2228A5    v...k.."(.
C60B3ED6978D2C22CDA6    ..>...,"..
332494BAEB9A2618EABC    3$....&...
4E4277FA7684D3952E5C    NBw.v....\
49E5E9C002E8FD932220    I......."
E819174A1E25D2341954    ...J.%.4.T
66FDF68A4689F2603DD5    f...F..`=.
262AE20F25E6E0F1D993    &*..%.....
7E201E269C836BC5E0D8    ~ .&..k...
0DF7B3C28AB4F0DC46FA    ........F.
87850FFD6BC67E75143F    ....k.~u.?
4E4A451BC52D6F6456BF    NJE..-odV.
E4A12D63842D538B1B4F    ..-c.-S..O
DC1C7763F119C44799CF    ..wc...G..
133BEB9117EB12360DFF    .;.....6..
28B1850E1D5422B604BB    (....T"...
7A7848AF6C789C56AEE5    zxH.lx.V..
72E426DA8068D2996121    r.&..h..a!
1C195174FD71105F1BF6    ..Qt.q._..
8B852E14D360643B0038    .....`d;.8
E2F02C461AE9181786D9    ..,F......
FC29891DC21A321F56EB    .)....2.V.
A26A3B2049DC7999B1C2    .j; I.y...
2AD79A30FDF3BEDDF281    *..0......
D0DE557CBA4F061043CB    ..U|.O..C.
989A6B2F169216B5FEBC    ..k/......
6B3DE042EBE307F94FF3    k=.B....O.
F904A144E9CEED96E172    ...D.....r
175C5A6A09CEDBFD73EB    .\Zj....s.
D0816E2EC5680FA6F8C3    ..n..h....
A1A7A6CF450145F099E7    ....E.E...
9EB8758D6639F0D36B79    ..u.f9..ky
A367960B2651F3326901    .g..&Q.2i.
F4A481BF3081BCA00302    ....0.....
0117A281B40481B14241    ........BA
B4BDEC224EBA98ECB089    ..."N.....
EE5C5C53198624A1972F    .\\S..$../
14D9905CB02341E6EC90    ...\.#A...
1932B1F46E78BB976970    .2..nx..ip
2F780C8CF53BC0ADF842    /x...;...B
7B983BB272BFB59A8B86    {.;.r.....
C78292D46A216F945904    ....j!o.Y.
B230C36EC79A6216F1E5    .0.n..b...
B2B532B475B82B8FC9C0    ..2.u.+...
BAF81BA23218BA5780B1    ....2..W..
071F6B13B3C31F0BD60E    ..k.......
CC6FD5F497FA331A6682    .o....3.f.
B8D59DBDFFBD3ECF5E74    ......>.^t
ED5F5F9E6CBD8A533BBF    .__.l..S;.
F39377200E27CB43E5EC    ..w .'.C..
D53B9F04D89482C46999    .;......i.
D95EE7C0CD211A569B89    .^...!.V..
FB933065E8      ..0e.

DATA
--------
..........[.........f..........................F.....]......
....+.H`.........d..n..W0..S............... ......za..v0..r.
........BMS.AUCKLAND.AC.NZ..0........0...RPCSS..APOGEESVR...
40..0............."....b..\c?.s......Xq...q.....H.5.}:d.!XzU
..g).9...0..2.dW...Jd.M.6.J...........]V....!b........\50...
......N.A...JCd..K.z$...H...1..K.`o[b:.._N.t....eL......c$3{
".....Ph..4m...<.?.*.#9.`....Qm....<.5..ne..0.......!W...YU.
...R........;...w..,5i...#>I..Q.X.J..Y......CVU.......p..z..
.T....~\R.....n...Y...%.....g..(.n.H..../.U.+.........)U.5.l
.o.-.z#..\4")..O..Hr.p%........X.....I..|..9E3I....s..w$....
<h...p....z.....C...9...|h._:%....... t.(zX.......'...?.../S
.E.......3v...k.."(...>...,"..3$....&...NBw.v....\I......."
...J.%.4.Tf...F..`=.&*..%.....~ .&..k...........F.....k.~u.?
NJE..-odV...-c.-S..O..wc...G...;.....6..(....T"...zxH.lx.V..
r.&..h..a!..Qt.q._.......`d;.8..,F.......)....2.V..j; I.y...
*..0........U|.O..C...k/......k=.B....O....D.....r.\Zj....s.
..n..h........E.E.....u.f9..ky.g..&Q.2i.....0.............BA
..."N......\\S..$../...\.#A....2..nx..ip/x...;...B{.;.r.....
....j!o.Y..0.n..b.....2.u.+.......2..W....k........o....3.f.
......>.^t.__.l..S;...w .'.C...;......i..^...!.V....0e.


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] FPs for NETBIOS DCERPC ISystemActivator path overflow attempt little endian,Sig ID,3197, Russell Fulton <=

Previous by Date:	Re: [Snort-sigs] FP 100000122 mod_jrun, Chich Thierry
Next by Date:	[Snort-sigs] FP on "NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt", Jason Haar
Previous by Thread:	[Snort-sigs] FP for 2001621 (PHP Injection Attack), Chich Thierry
Next by Thread:	[Snort-sigs] FP on "NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt", Jason Haar
Indexes:	[Date] [Thread] [Top] [All Lists]