|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: spoolss overflow attempt: unknow threat or false alert ?
From: Jonathan Nichols (jnichols
pbp.net)
Date: Fri Sep 08 2006 - 19:55:13 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Emanuele Rocca wrote:
> Hello,
>
> * Buozis, Martynas <martynasti.com>, [2006-09-07 16:10 +0200]:
>> I see many packets coming from various hosts to few servers (both
>> clients and servers are inside Intranet) that are identified by SNORT as
>> NETBIOS SMB spoolss AddPrinterEx unicode little endian overflow attempt.
>> I checked source hosts with AV and spyware software but found nothing,
>> while these packets continue to flow persistently in large amounts. Is
>> it some false positive by SNORT or is it an unknown security threat
>> (trojan/worm/virus) behind this activity?
>
> I've got no direct experience about that alert, but the Snort signature
> database can give you additional information:
> http://www.snort.org/pub-bin/sigs.cgi?sid=4414
>
> Summary:
> This event is generated when an attempt is made to exploit a known
> vulnerability in Microsoft systems using the Print Spooler Service.
> In particular this rule generates an event when an attempt is made
> to exploit the function "AddPrinterEx" via the "spoolss" component.
>
> False positives:
> None known.
>
> Another reference you may find interesting is the MS Security Bulletin:
> http://www.microsoft.com/technet/security/bulletin/MS05-043.mspx
>
> ciao,
> ema
Also see if it's coming from an HP printer. I had a workgroup printer
that had a buggy driver, and it was flooding the print server with
10mbit of traffic.
Yank all of the printers and see if the problem goes away.
------------------------------------------------------------------------------
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com
------------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]