RE: PDC -> Workstation Registry Connect

From: Estes, Matt CPR / FCBS (Matt.Estes@eis.army.mil)
Date: 04/30/02

• Previous message: H C: "Re: PDC -> Workstation Registry Connect"
• Maybe in reply to: Estes, Matt CPR / FCBS: "PDC -> Workstation Registry Connect"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Estes, Matt CPR / FCBS" <Matt.Estes@eis.army.mil>
To: 'H C' <keydet89@yahoo.com>, "Focus-Ms (E-mail)" <focus-ms@securityfocus.com>
Date: Tue, 30 Apr 2002 11:18:32 -0400

I was testing custom rules and added a snort rule for port 139 traffic with
content of "/PIPE/winreg" just to see what would hit. Only been up a few
days, but very few hits until just now.

3 sessions, about 1-2 minutes apart. The workstation is in a different
domain. PDC in NT4. SMS is running, but not managing that machine.

Matt

> -----Original Message-----
> From: H C [mailto:keydet89@yahoo.com]
> Sent: Tuesday, April 30, 2002 10:13 AM
> To: Estes, Matt CPR / FCBS; Focus-Ms (E-mail)
> Subject: Re: PDC -> Workstation Registry Connect
>
>
> Matt,
>
> Here are a couple of things that might help narrow
> down what's going on...
>
> 1. Which IDS are you using?
> 2. How is the rule you added constructed? Are you
> able to tell which hive/key was requested?
> 3. What are the processes running on the PDC, a la
> pslist?
>
>
> --- "Estes, Matt CPR / FCBS" <Matt.Estes@eis.army.mil>
> wrote:
> > Anybody know a reason why a PDC would suddenly open
> > a registry connection to
> > a workstation. Added a rule to my IDS a while back
> > and suddenly today it
> > happens... and nobody was physically at either
> > machine.
> >
> > Matt
> >
> > __________________________
> > Matthew Estes
> > Open Systems Engineer
> > FC Business Systems, Inc.
> >
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - your guide to health and wellness
> http://health.yahoo.com
>

---

• Previous message: H C: "Re: PDC -> Workstation Registry Connect"
• Maybe in reply to: Estes, Matt CPR / FCBS: "PDC -> Workstation Registry Connect"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Default email address for contact ... "matt" wrote in message ... pick from the list" dialogue in OE6 (I don't use any ... >>> wanted to use for that contact, when I hit send (because the ... >>> when sending mail. ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress) Re: Cyclist hit and runs - what is the answer? ... Matt B wrote: ... > run incidents perpetrated by cyclists, ... > knee-jerk cycle registration onto our statute books. ... number of hit and runs by cyclists or is the knee-jerk media already ... (uk.rec.cycling) Re: Default email address for contact ... "matt" wrote in message ... > wanted to use for that contact, when I hit send (because the ... > to the first entry in the list, meaning I can easily send it to the ... > when sending mail. ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress) Re: Linux Media Center?!?!?!! ... Matt you hit it... ... This is why I love usenet ... >> It was a linux distro that touted to be geared towards people wanting to ... (comp.os.linux.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2002-04