GEN:SID 1:1239
Message NETBIOS RFParalyze Attempt
Summary This event is generated when an attempt is made to execute the RFParalyze DoS
exploit.
Impact If the destination machine is vulnerable, it may start behaving
unpredictably.  Succesful exploitation may lead to a full system crash
or may cause certain services to become unavailable.
Detailed Information This signature triggers on execution of RFParalyze, an exploit written
in 2000 by Rain Forest Puppy.  It was based on a binary exploit called
"whisper", which was used in the wild at that time.  This exploit
performs a NetBIOS session request with a source host of NULL, which is
incorrectly handled by Windows 95/98 hosts.
Affected Systems Windows 95
    Windows 98
Attack Scenarios An attacker can crash critical machines, thereby
preventing them from being accessed by legitimate clients.
Ease of Attack Simple.  Exploit code exists.
Corrective Action Patches are not available from the vendor.

Use a packet filtering firewall to block inbound traffic to port 139/TCP from
all untrusted networks & hosts

Upgrade critical machines to a more recent and supported version of the
operating system.
Additional References Bugtraq
http://www.securityfocus.com/bid/1163

CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0347
Rule References bugtraq: 1163
cve: 2000-0347
nessus: 10392