GPL NETBIOS SMB IPC$ unicode share access
1,506 views
Skip to first unread message
packetsmacker
Jun 23, 2016, 9:02:40 AM6/23/16
to security-onion
I have been seeing a ton of these alerts. I found some old post about it but nothing that really explains whats going on. As best as I can tell this alert is meant to detect share access from outside the network. That is based on what is set in the sonrt.conf file. I have ipvar HOME_NET set to my network range and ipvar EXTERNAL_NET set to any.
The dest IPs are always our DCs as best as I can tell. I am having to log into mysql and update the status of this alert before the box is usable again. Seems like all false positives but it so noisy I cant look at it to tell if it is.
Wes
Jun 23, 2016, 9:47:55 AM6/23/16
to security-onion
On Thursday, June 23, 2016 at 9:02:40 AM UTC-4, packetsmacker wrote:
> I have been seeing a ton of these alerts. I found some old post about it but nothing that really explains whats going on. As best as I can tell this alert is meant to detect share access from outside the network. That is based on what is set in the sonrt.conf file. I have ipvar HOME_NET set to my network range and ipvar EXTERNAL_NET set to any.
>
>
> The dest IPs are always our DCs as best as I can tell. I am having to log into mysql and update the status of this alert before the box is usable again. Seems like all false positives but it so noisy I cant look at it to tell if it is.
> I have been seeing a ton of these alerts. I found some old post about it but nothing that really explains whats going on. As best as I can tell this alert is meant to detect share access from outside the network. That is based on what is set in the sonrt.conf file. I have ipvar HOME_NET set to my network range and ipvar EXTERNAL_NET set to any.
>
>
> The dest IPs are always our DCs as best as I can tell. I am having to log into mysql and update the status of this alert before the box is usable again. Seems like all false positives but it so noisy I cant look at it to tell if it is.
packetsmacker,
You could try changing your EXTERNAL__NET in snort.conf to the following to alert on only external>internal access:
ipvar EXTERNAL_NET !$HOME_NET
Thanks,
Wes
Doug Burks
Jun 25, 2016, 10:14:28 AM6/25/16
to securit...@googlegroups.com
Here are a few other options:
- use /etc/nsm/pulledpork/modifysid.conf to modify the variables in
the rule itself:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#modifysidconf
OR
- use /etc/nsm/rules/threshold.conf to suppress the alert for specific
IP addresses:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#suppressions
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
- use /etc/nsm/pulledpork/modifysid.conf to modify the variables in
the rule itself:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#modifysidconf
OR
- use /etc/nsm/rules/threshold.conf to suppress the alert for specific
IP addresses:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#suppressions
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Reply all
Reply to author
Forward
0 new messages