[Snort-sigs] FP on three SMB umpnpmgr rules!!

I just triggered this myself. It generated over 50 alerts on three
different  umpnpmgr rules

NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList unicode little endian attempt
NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList unicode attempt
NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize unicode little endian attempt

I had connected (as Administrator) from a Win2K3 Domain Controller to a
remote Win2K laptop in order to restart some service - not exactly a
strange thing to do...

example packet dump of event follows:

 

000 : 00 00 00 98 FF 53 4D 42 25 00 00 00 00 18 07 C8   .....SMB%.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 08 A4 07   ................
020 : 00 08 31 AA 10 00 00 44 00 00 00 00 04 00 00 00   ..1....D........
030 : 00 00 00 00 00 00 00 00 00 54 00 44 00 54 00 02   .........T.D.T..
040 : 00 26 00 07 C0 55 00 00 5C 00 50 00 49 00 50 00   .&...U..\.P.I.P.
050 : 45 00 5C 00 00 00 00 00 05 00 00 03 10 00 00 00   E.\.............
060 : 44 00 00 00 03 00 00 00 2C 00 00 00 00 00 0B 00   D.......,.......
070 : 00 00 02 00 0B 00 00 00 00 00 00 00 0B 00 00 00   ................
080 : 53 00 41 00 56 00 53 00 65 00 72 00 76 00 69 00   S.A.V.S.e.r.v.i.
090 : 63 00 65 00 00 00 00 00 02 00 00 00               c.e.........

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs