Incidents
RE: spoolss overflow attempt: unknow threat or false alert ? Sep 08 2006 12:44PM
Buozis, Martynas (martynas ti com) (1 replies)
Joel

I did before writing to this list. Text is here http://www.snort.org/pub-bin/sigs.cgi?sid=4421. There are no false negatives, attack is easy, and impact is serious.

I would ignore this, but packets are being sent persistently - I get thousands of events logged by snort. Amount of workstations, that send packets, is increasing. Workstations are sending packets to servers in different networks and domains. Why workstation in different subnet and different domain shall send this kind of AddPrinterEx?es to server, that has nothing common with its setup and run? I have more question than answers behind this activity and this is the reason why I am asking about this in mailing list.

Even without risk indicated by SNORT I would raise a question why Windows workstations shall send packets in huge amount like this to servers that serve completely different networks and domains? Most of these servers are not any kind of browsing masters, so why AddPrinter shall be sent to these?

With best regards
Martynas

________________________________________
From: Joel Esler [mailto:eslerj (at) gmail (dot) com [email concealed]]
Sent: Friday, September 08, 2006 2:12 PM
To: Buozis, Martynas
Cc: incidents (at) securityfocus (dot) com [email concealed]
Subject: Re: spoolss overflow attempt: unknow threat or false alert ?

As with any alert in Snort, make sure you read the rule documentation that is included with the rules.  Or check the rule on the snort.org site by typing in the sid number on the left of the site.

Joel

BTW -- Snort is not in all caps :)
On 9/7/06, Buozis, Martynas <martynas (at) ti (dot) com [email concealed]> wrote:

Hello

I see many packets coming from various hosts to few servers (both
clients and servers are inside Intranet) that are identified by SNORT as
NETBIOS SMB spoolss AddPrinterEx unicode little endian overflow attempt.
I checked source hosts with AV and spyware software but found nothing,
while these packets continue to flow persistently in large amounts. Is
it some false positive by SNORT or is it an unknown security threat
(trojan/worm/virus) behind this activity? Is this packet really complies
signature of real hacking attempt? Can somebody tell me what real threat
is in typical packet, if any?  What can be real risk behind these
packages ?

Typical packet payload look following:

000 : 00 00 02 52 FF 53 4D 42 25 00 00 00 00 18 03 80   ...R.SMB%.......
010 : D1 80 00 00 00 00 00 00 00 00 00 00 01 00 00 98   ................
020 : 64 00 C0 00 10 00 00 FE 01 00 00 00 04 00 00 00   d...............
030 : 00 00 00 00 00 00 00 00 00 54 00 FE 01 54 00 02   .........T...T..
040 : 00 26 00 61 73 0F 02 5C 5C 00 50 00 49 00 50 00   .&.as..\\.P.I.P.
050 : 45 00 5C 00 00 00 00 5C 05 00 00 03 10 00 00 00   E.\....\........
060 : FE 01 00 00 01 00 00 00 E6 01 00 00 00 00 46 00   ..............F.
070 : 98 FE 2D 03 0A 00 00 00 00 00 00 00 0A 00 00 00   ..-.............
080 : 5C 00 5C 00 46 00 46 00 41 00 42 00 53 00 4D 00   \.\.F.F.A.B.S.M.
090 : 42 00 00 00 01 00 00 00 01 00 00 00 50 FE 2D 03   B...........P.-.
0a0 : 18 08 00 00 E4 F5 2D 03 24 FC 2D 03 58 F1 CA 02   ......-.$.-.X...
0b0 : 51 00 00 00 00 00 00 00 51 00 00 00 5C 00 5C 00   Q.......Q...\.\.
0c0 : 4F 00 4E 00 59 00 58 00 5C 00 77 00 66 00 72 00   O.N.Y.X.\.w.f.r.
0d0 : 73 00 74 00 6B 00 31 00 2C 00 48 00 50 00 20 00   s.t.k.1.,.H.P. .
0e0 : 4C 00 61 00 73 00 65 00 72 00 4A 00 65 00 74 00   L.a.s.e.r.J.e.t.
0f0 : 20 00 34 00 30 00 35 00 30 00 20 00 53 00 65 00    .4.0.5.0. .S.e.
100 : 72 00 69 00 65 00 73 00 20 00 50 00 53 00 2C 00   r.i.e.s. .P.S.,.
110 : 42 00 6C 00 64 00 67 00 2E 00 20 00 33 00 20 00   B.l.d.g... .3. .
120 : 53 00 2E 00 20 00 50 00 72 00 6F 00 62 00 65 00   S... .P.r.o.b.e.
130 : 20 00 6E 00 65 00 78 00 74 00 20 00 74 00 6F 00    .n.e.x.t. .t.o.
140 : 20 00 74 00 68 00 65 00 20 00 4F 00 6C 00 69 00    .t.h.e. .O.l.i.
150 : 20 00 49 00 6E 00 6B 00 65 00 72 00 00 00 72 00    .I.n.k.e.r...r.
160 : 0F 00 00 00 00 00 00 00 0F 00 00 00 5C 00 5C 00   ............\.\.
170 : 4F 00 4E 00 59 00 58 00 5C 00 77 00 66 00 72 00   O.N.Y.X.\.w.f.r.
180 : 73 00 74 00 6B 00 31 00 00 00 31 00 2D 00 00 00   s.t.k.1...1.-...
190 : 00 00 00 00 2D 00 00 00 48 00 50 00 20 00 4C 00   ....-...H.P. .L.
1a0 : 4A 00 34 00 30 00 35 00 30 00 20 00 2D 00 20 00   J.4.0.5.0. .-. .
1b0 : 32 00 34 00 4D 00 62 00 20 00 72 00 61 00 6D 00   2.4.M.b. .r.a.m.
1c0 : 20 00 2D 00 20 00 41 00 6C 00 73 00 6F 00 20 00    .-. .A.l.s.o. .
1d0 : 61 00 20 00 44 00 41 00 5A 00 45 00 4C 00 20 00   a. .D.A.Z.E.L. .
1e0 : 2D 00 20 00 4E 00 54 00 53 00 4E 00 35 00 41 00   -. .N.T.S.N.5.A.
1f0 : 00 00 41 00 00 00 00 00 00 00 00 00 00 00 00 00   ..A.............
200 : 00 00 00 00 01 00 00 00 01 00 00 00 1C F5 2D 03   ..............-.
210 : 1C 00 00 00 70 03 C7 02 10 F3 2D 03 65 05 00 00   ....p.....-.e...
220 : 02 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00   ................
230 : 00 00 00 00 07 00 00 00 5C 00 5C 00 4F 00 4E 00   ........\.\.O.N.
240 : 59 00 58 00 00 00 58 00 01 00 00 00 00 00 00 00   Y.X...X.........
250 : 01 00 00 00 00 00                                 ......

Martynas

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

--
--Joel Esler
ISC Incident Handler
http://www.incidents.org

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]
Re: spoolss overflow attempt: unknow threat or false alert ? Sep 09 2006 01:12PM
Sûnnet Beskerming (info beskerming com)


 

Privacy Statement
Copyright 2010, SecurityFocus