Snort mailing list archives
Re: Re: Noob
From: Brian Caswell <bmc () snort org>
Date: Fri, 24 Dec 2004 17:37:37 -0500
On Dec 23, 2004, at 2:31 PM, Brian Stamper wrote:
I have 10 unique alerts largest below: 75 - protocol-command-decode - NETBIOS SMB winreg Unicode access
registry access happens quite a bit on microsoft networks. Either configure your homenet/external_net appropriately, or add a flowbits:noalert; to the rule still work where needed, but not generate alerts.
30 - protocol-command-decode - NETBIOS SMB IPC$ share Unicode access
This is fairly normal traffic. The next revision of the rule will have a flowbits:noalert. DO NOT TURN THIS RULE OFF if you expect any of complicated samba rules to work.
21 - attempted-admin - NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt
what rev of the rule are you using? Early versions had false positive issues.
Brian ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Noob Brian Stamper (Dec 22)
- Re: Noob Tim Slighter (Dec 22)
- <Possible follow-ups>
- Re: Noob Brian Stamper (Dec 23)
- RE: Re: Noob Bob Konigsberg (Dec 23)
- Re: Re: Noob Brian Caswell (Dec 24)
- RE: Re: Noob Brian Stamper (Dec 23)
- RE: Re: Noob Bob Konigsberg (Dec 23)
- Re: Re: Noob J-H Johansen (Dec 23)
- RE: Re: Noob Bob Konigsberg (Dec 23)
- RE: Re: Noob Brian Stamper (Dec 23)
- RE: Re: Noob Frank Knobbe (Dec 23)
- RE: Re: Noob Brian Stamper (Dec 23)