Snort mailing list archives
Re: Help with pass rule
From: sekure <sekure () gmail com>
Date: Thu, 2 Sep 2004 11:00:18 -0400
Prabu, The orignal message included the following alert:
[1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 160.214.186.9:2636 -> 160.214.186.45:445
The sid is 2404, so my initial post was correct. Sid 2505 is " WEB-PHP phptest.php access" But this does bring up an interesting point. Carlton, a lot of the windows rules have two versions, one for SMB over NBT (port 139) and one for SMB over TCP/IP (port 445). So if you are going to be suppressing rules, make sure you suppress them both, if they are both popping up. The other sid is 2403 " NETBIOS SMB Session Setup AndX request unicode username overflow attempt". It's a subtle difference and i've been caught dumfounded more than once, after suppressing one rule, seeing the other, but not realizing it and thinking snort was somehow broken. good luck On Thu, 2 Sep 2004 09:54:09 +0530, prabu <prabu333 () hotpop com> wrote:
Hi, I guess that correct sig_id suppose for thar rule to be 2404,instead of 2405. So the suppress command should be as suppress gen_id 1, sig_id 2404, track by_src, ip 160.214.186.9 instead of; suppress gen_id 1, sig_id 2405, track by_src, ip 160.214.186.9 Cheers, Prabu.S
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- help with pass rule Scott Elgram (Jul 01)
- Re: help with pass rule sekure (Jul 01)
- Re: help with pass rule Scott Elgram (Jul 01)
- Re: help with pass rule sekure (Jul 01)
- Re: help with pass rule Scott Elgram (Jul 01)
- Re: help with pass rule Scott Elgram (Jul 01)
- Re: help with pass rule sekure (Jul 01)
- Re: help with pass rule Keith W. McCammon (Jul 01)
- <Possible follow-ups>
- Help with pass rule Carlton L. Whitmore (Sep 01)
- Re: Help with pass rule sekure (Sep 01)
- Re: Help with pass rule prabu (Sep 01)
- Re: Help with pass rule sekure (Sep 02)
- Re: Help with pass rule prabu (Sep 02)
- Re: Help with pass rule sekure (Sep 03)
- E-mail alerting Carlos M Ospina (Sep 03)
- Re: E-mail alerting Keith W. McCammon (Sep 03)
- Re: E-mail alerting prabu (Sep 03)
- RE: E-mail alerting Andy (Sep 12)
- Re: E-mail alerting prabu (Sep 13)
- RE: E-mail alerting Andy (Sep 18)
- RE: E-mail alerting Andy (Sep 18)
- RE: E-mail alerting Andy (Sep 18)
- Re: Help with pass rule sekure (Sep 01)