Gentle people, Our servers consistently encounter SMB name wildcard probes. I observed the first unusual (spoofed) probe at May 1 08:21:19. This probe was instantly followed by a valid SMB name wildcard. Are these obvious decoys becoming trendy or is it just me? As always, relevant packet dumps can be found at: http://192.117.130.34/Fendor/security/spoofed-SMB-packets.gz and http://192.117.130.34/Fendor/security/spoofed-SMB-packets2.gz The snort alerts can be found at: http://192.117.130.34/Fendor/security/SMB-snort-alerts The spoofed packets usually arrive immediately after some host performs a standard probe. Which tool is generating this traffic? BTW, I am indeed NAT'ed, but 192.168.0.1 does not exist on our network. Regards, Yotam Rubin
This archive was generated by hypermail 2b30 : Fri May 04 2001 - 07:15:50 PDT