Snort mailing list archives
Re: SMB PREPROCESSOR
From: sec hot via Snort-users <snort-users () lists snort org>
Date: Mon, 31 Dec 2018 23:28:44 +0200
attached unfortunately i cannot add pcap because it is contains real data . the rule trying to detect LDAP query from cli , for example : net group "domain admins" /domain On Mon, Dec 31, 2018 at 9:56 PM Al Lewis (allewi) <allewi () cisco com> wrote:
Can you share the rule, the conf file and pcap? It may be easier to help if you show what your working with. *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com *From: *Snort-users <snort-users-bounces () lists snort org> on behalf of sec hot via Snort-users <snort-users () lists snort org> *Reply-To: *sec hot <sechot44 () gmail com> *Date: *Monday, December 31, 2018 at 2:55 PM *To: *"snort-users () lists snort org" <snort-users () lists snort org> *Subject: *[Snort-users] SMB PREPROCESSOR Hi How preprocessor work? I create smb rule that detect content in smb packet, for some reason the rule is not trigger all time, i am send the same packet over and over and only for the third time the rule is trigger, is it related to the smb pre process? Why is that?
Attachment:
snort.conf
Description:
Attachment:
local.rules
Description:
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- SMB PREPROCESSOR sec hot via Snort-users (Dec 31)
- Re: SMB PREPROCESSOR Al Lewis (allewi) via Snort-users (Dec 31)
- Re: SMB PREPROCESSOR sec hot via Snort-users (Dec 31)
- Re: SMB PREPROCESSOR Al Lewis (allewi) via Snort-users (Dec 31)