Re: Source port of Samba Scans?

[stuart () SiliconDefense com (Stuart Staniford-Chen)]

Daniel Swan wrote:

> Rober Graham said:

> > Packets sent to UDP port 137 from port 137 are extremely common and rarely
> > indicate an attack.
>
> Within a windows network, I agree...  but there is a definite pattern to these connexions, especially as some are 
> accompanied by other probes.  I suspect you'll agree after you see my logfile.
>
> Log at:

http://clgr003495.hs.telusplanet.net/snort2html.html
> While you are looking, please keep in mind my original question:  How do we account for different source ports of 
> Netbios Name queries? (some 137, some not)

Whether it's coming from a Windows box (probably 137) or Unix (probably
high numbered port).

I agree the pattern from a few home.com addresses is kind of fishy.
You have this SMB Wildcard alert from a number of different sources.  
The signature from the snort distribution is:

misc-lib:alert udp any any -> $HOME_NET 137 (msg:"SMB Name Wildcard";
content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";)

Translating the content string back out of the strange Netbios encoding
(see RFC 1001 page 25), it becomes the name "*".  This special name is
used for any broadcast name service requests (RFC 1001 page 57).

Finally, if you look at the web page Robert pointed you to:

http://www.robertgraham.com/pubs/firewall-seen.html#port137

You'll find:

> Exact signature: If the Windows box is trying to find the name 
> for the IP address 192.0.2.21, it will do the following steps: 

>       * Lookup the DNS "PTR" record for 21.2.0.192.in-addr.arpa; 
>         this request is sent to the local DNS server, which 
>         recursively forwards the query to the appropriate DNS 
>         server as required.  
>       * If the DNS answer comes back, it won't query NetBIOS. If 
>         a negative response comes back, it will immediately query 
>         NetBIOS. If the DNS server times-out, it will wait 14-seconds, 
>         then query NetBIOS.   
>       * When resolving with NetBIOS, it will send out a "NodeStatus" 
>         query that is sent to the 192.0.2.12:137 from x.x.x.x:137. 
>         (I.e. the query is sent to the IP address being resolved to 
>         its port 137, and is sent from the Windows machine port 137).  
>       * The NetBIOS request is a "NodeStatus" query that looks up 
>         the name "*". It is 50 bytes worth of data (58 including the 
>         UDP header, 78 including the IP header, 92 including an 
>         Ethernet header).  Three NetBIOS queries are sent with a 
>         1.5 second timeout. 

The SMB-Wildcard and Source Port traffic alerts in your log look almost
consistent with several machines on the source network trying to
get information out of your DNS and Nameservice on the destination box. 
But the source ports seem too good to be true.  It does kind of smell
like someone trying to be stealthy while still probing the box.

Also the NULL Scan doesn't look good.  See

http://whitehats.com/IDS/4

Is there any innocent reason for these kinds of packets anyone?

Stuart.

-- 
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart () silicondefense com
(707) 822-4588                     (707) 826-7571 (FAX)