I'm seeing quite a few of these on our internal network.
Russell
META
--------
SID CID TimeStamp Signature
1 4662297 2006-06-05 09:57:04 NETBIOS SMB-DS spoolss AddPrinterEx
unicode little endian overflow attempt
Sig ID
4485
Sensor Hostname Sensor Interface
monitor-itss.insec.auckland.ac.nz ITSS sector switch
IP
--------
Source Address Dest Address Ver Hdr Len
130.216.54.18 130.216.206.186 4 5
TOS length ID flags offset TTL chksum
0 518 58822 2 0 126 2734
Resolved Source
sgm18.phy.auckland.ac.nz
Resolved Dest
horace.phyt.auckland.ac.nz
TCP
--------
Source Port Dest Port Seq Ack
3927 445 1807284775 1451020825
Offset Reserved Flags Window Checksum Urgent Ptr
5 0 24 64319 58281 0
Options
--------
None
Flags
--------
RB 1 RB 0 URG ACK PSH RST SYN FIN
X X
DATA
--------
000001DAFF534D422500 .....SMB%.
0000001807C800000000 ..........
00000000000000000730 .........0
78050360C00110000086 x..`......
01000000040000000000 ..........
00000000000000540086 .......T..
015400020026000D4097 .T...&..@.
01005C00500049005000 ..\.P.I.P.
45005C00000000000500 E.\.......
00031000000086010000 ..........
010000006E0100000000 ....n.....
4600B0FEF50009000000 F.........
00000000090000005C00 ........\.
5C0048004F0052004100 \.H.O.R.A.
43004500000008000100 C.E.......
000001000000D8F1F500 ..........
18100000E8F1F5000CFA ..........
F5006811150133000000 ..h...3...
00000000330000005C00 ....3...\.
5C00530047004D003100 \.S.G.M.1.
38005C00410064006F00 8.\.A.d.o.
62006500200050004400 b.e. .P.D.
46002C00410064006F00 F.,.A.d.o.
62006500200050004400 b.e. .P.D.
4600200043006F006E00 F. .C.o.n.
76006500720074006500 v.e.r.t.e.
72002C004D0079002000 r.,.M.y. .
44006F00630075006D00 D.o.c.u.m.
65006E00740073000000 e.n.t.s...
73001200000000000000 s.........
120000005C005C005300 ....\.\.S.
47004D00310038005C00 G.M.1.8.\.
410064006F0062006500 A.d.o.b.e.
20005000440046000000 .P.D.F...
0D000000000000000D00 ..........
00003F003F0020004100 ..?.?. .A.
64006F00620065002000 d.o.b.e. .
50004400460000004600 P.D.F...F.
00000000000000000000 ..........
00000000000001000000 ..........
01000000C8EAF5001C00 ..........
00009087B6002CEBF500 ......,...
280A0000030000000000 (.........
00000000000008000000 ..........
00000000080000005C00 ........\.
5C00530047004D003100 \.S.G.M.1.
38000000010000000000 8.........
0000010000000000 ........
DATA
--------
.....SMB%....................0x..`.......................T..
.T...&..@...\.P.I.P.E.\.....................n.....F.........
........\.\.H.O.R.A.C.E.............................h...3...
....3...\.\.S.G.M.1.8.\.A.d.o.b.e. .P.D.F.,.A.d.o.b.e. .P.D.
F. .C.o.n.v.e.r.t.e.r.,.M.y. .D.o.c.u.m.e.n.t.s...s.........
....\.\.S.G.M.1.8.\.A.d.o.b.e. .P.D.F...............?.?. .A.
d.o.b.e. .P.D.F...F.....................................,...
(...........................\.\.S.G.M.1.8.................
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
