Re: New netbios rules?

[Nerijus Krukauskas <nkrukauskas () gmail com>]

On 2009-07-15, craig bowser <reswob10 () gmail com> wrote:
> I just got the same problem as jlay <jlay () slave-tothe-box net>.  I've had
> v2.8.4.1 running just fine for a while, but today I updated the rules (both
> from Snort and from Emerging threats) and performed an 'apt-get upgrade' and
> suddenly I'm getting this error.  I don't have either "preprocessor dcerpc2"
> or " preprocessor dcerpc_server: default" in my snort.conf and the entry for
> dce/rpc is as follows:
>
> # Per Step #2, set the following to load the dcerpc preprocessor
> # dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so>
> # or use commandline option
> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>
> preprocessor dcerpc: \
>     autodetect \
>     max_frag_size 3000 \
>     memcap 100000
>
> So it appears to be enabled.
>
> However, I looked for libsf_dcerpc_preproc.so, but that file is not
> present.  Do I need to create one?  The README.dcerpc file does not say how
> to format such a file.
>
> OTOH, did I screw up something updating the rules?

The new netbios rules need the NEW dcerpc2 preprocessor. Make sure you
have it and enabled in snort config. And the readme is called
README.dcerpc2.

-- 
http://nk99.org/

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users