Snort mailing list archives
ET 2001581
From: James Lay <jlay () slave-tothe-box net>
Date: Sun, 07 Jun 2009 10:16:11 -0600
Maybe I¹m just dumb, but shouldn¹t something like the below be set to ignore
localnets?
Alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135
traffic, Potential Scan or Infection"; flags: S,12; threshold: type both,
track by_src, count 70 , seconds 60; classtype: misc-activity;
reference:url,doc.emergingthreats.net/2001581;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Netb
ios; sid: 2001581; rev:13;)
emerging-sid-msg.map:2001581 || ET SCAN Behavioral Unusual Port 135 traffic,
Potential Scan or Infection ||
url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Netbios ||
url,doc.emergingthreats.net/2001581
Saw a lot of:
Jun 7 09:47:24 gateway snort[15113]: [1:2001581:13] ET SCAN Behavioral
Unusual Port 135 traffic, Potential Scan or Infection [Classification: Misc
activity] [Priority: 3]: {TCP} 10.0.1.10:2649 -> 10.0.16.62:135
Even though var HOME_NET is [10.0.0.0/8]
------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ET 2001581 James Lay (Jun 07)
- Re: ET 2001581 Matt Olney (Jun 07)
- Re: ET 2001581 Matt Jonkman (Jun 08)
- Re: ET 2001581 Matt Olney (Jun 07)