Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Confused about rules and logs

From: b311b-snort () theotherbell com
Date: Mon, 10 May 2004 08:51:34 -0400
On Mon, 10 May 2004 04:11:12 -0700 (PDT)
Richard Bejtlich wrote:


I strongly recommend you upgrade to a version of Snort
not found in the www.snort.org/dl/do_not_use/
directory.  The version you are running is vulnerable
to several exploits.
(www.cert.org/advisories/CA-2003-13.html)


Thanks.  I'm looking into upgrading my NetBSD firewall to the latest
version of NetBSD... but it's going to take a while.  In the meantime, I'd really like to figure out what's so 
different about this one Windows workstation.  I have three other Windows PC's on my small network and
this is the only one that's giving me trouble.

I'll take a look at Ethereal... hopefully I'll be able to figure out
how to do what you're asking, but in the meantime, here's some more
info. I restarted snort with the -I flag. At that point, I started
getting new messages in /var/log/snort/portscan that look like this:

May 10 00:11:21 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:11:28 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:11:35 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:11:42 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:11:50 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:11:57 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:12:04 192.168.2.66:137 -> 192.168.2.252:137 UDP
May 10 00:12:14 192.168.2.66:137 -> 192.168.2.255:137 UDP

I suspected the traffic had something to do with NetBIOS and this
confirms it.

192.168.2.66 is a Linux box that's providing DHCP and SMB services for
my network.  I have Samba set up to act as an NT domain controller.  192.168.2.252 is a Windows box that's generating 
messages in
/var/log/snort/log that look like this:

[**] spp_portscan: portscan status from 192.168.2.252: 3 connections across 3 hosts: TCP(0), UDP(3) [**]
[**] spp_portscan: portscan status from 192.168.2.252: 4 connections across 3 hosts: TCP(0), UDP(4) [**]
[**] spp_portscan: portscan status from 192.168.2.252: 2 connections across 2 hosts: TCP(0), UDP(2) [**]
[**] spp_portscan: portscan status from 192.168.2.252: 2 connections across 2 hosts: TCP(0), UDP(2) [**]

All of my Windows boxes on the network maintain mapped network drives,
use domain logins, etc.  They're all configured exactly the same way,
but this is the only one that generates the messages.

Brenda Bell
Henniker (the only one on earth)
New Hampshire (the state with 5 seasons: black fly, tourist, foliage, ski and mud)




-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: