Snort mailing list archives
RE: the better way?
From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Thu, 10 Nov 2005 12:24:41 -0500
Comment out include $RULE_PATH/netbios.rules in snort.conf Bruce _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of John Friedman Sent: Thursday, November 10, 2005 11:49 AM To: snort Subject: Re: [Snort-users] the better way? Ralf, Thanks for your reply. You mean that I comment out alert line in the netbios rule of rules folder as the following # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:537; rev:14;)... If I do not want to include netbios rule completely, what's the better way to do it? Thanks, John Ralf Spenneberg <lists () spenneberg org> wrote: Hi, the first is not dangerous and the second is hopefully patched. You can suppress these alerts but I would simply comment out the related rules. Ralf Am Donnerstag, den 10.11.2005, 07:50 -0800 schrieb John Friedman: > Hi all, > > I found I have lots of these alerts: 10.1.10.3 is domain controller. > > > > #2-(2-1564) > [snort] > NETBIOS > SMB-DS IPC > $ unicode > share > access > > 2005-11-10 > 10:36:18 > > > 10.1.12.14:4000 > > 10.1.10.3:445 > TCP > > > #3-(2-1563) > > [nessus] > [nessus] > [cve] > [icat] > [bugtraq] > [bugtraq] > [snort] > NETBIOS > SMB-DS > Session > Setup > NTMLSSP > unicode > asn1 > overflow > attempt > > > 2005-11-10 > 10:36:18 > > > 10.1.12.14:4000 > > 10.1.10.3:445 > TCP > > > 10.1.12.14 is workstation or server IP. What's the better way > to ignore these alerts? (suppress?) BTW, why does it generate many > these alerts and is it dangerous? > > > > Thanks, > > > > John > > > ______________________________________________________________________ > Yahoo! FareChase - Search multiple travel sites in one click. > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > -- Ralf Spenneberg OpenSource Training http://www.opensource-training.de Webereistr. 1 48565 Steinfurt Germany ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- the better way? John Friedman (Nov 10)
- Re: the better way? Ralf Spenneberg (Nov 10)
- Re: the better way? John Friedman (Nov 10)
- Re: the better way? Ralf Spenneberg (Nov 10)
- Re: the better way? John Friedman (Nov 10)
- <Possible follow-ups>
- RE: the better way? Briggs, Bruce (Nov 10)
- Re: the better way? Ralf Spenneberg (Nov 10)