Snort mailing list archives
Re: gen-msg.map missing some SIDs for dcerpc2
From: beenph <beenph () gmail com>
Date: Thu, 22 Nov 2012 16:35:41 -0500
On Thu, Nov 22, 2012 at 3:42 PM, Jeremy Hoel <jthoel () gmail com> wrote:
what are the binary rules that come in the vrt download?
FROM a resent gen-msg.map (2.9.3) <SNIP> 133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version 133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type 133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size 133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number #133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen #133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen #133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding #133 || 47 || dcerpc2: SMB - Excessive command compounding </SNIP>
From 2.9.4 src (probably alot like 2.9.3.x)
<SNIP> generators.h:#define DCE2_EVENT__SMB2_EXCESSIVE_COMPOUNDING 47 generators.h:#define DCE2_EVENT__SMB_DCNT_ZERO 48 generators.h:#define DCE2_EVENT__SMB_DCNT_MISMATCH 49 generators.h:#define DCE2_EVENT__SMB_MAX_REQS_EXCEEDED 50 generators.h:#define DCE2_EVENT__SMB_REQS_SAME_MID 51 generators.h:#define DCE2_EVENT__SMB_DEPR_DIALECT_NEGOTIATED 52 generators.h:#define DCE2_EVENT__SMB_DEPR_COMMAND_USED 53 generators.h:#define DCE2_EVENT__SMB_UNUSUAL_COMMAND_USED 54 generators.h:#define DCE2_EVENT__SMB_INVALID_SETUP_COUNT 55 generators.h:#define DCE2_EVENT__SMB_MULTIPLE_NEGOTIATIONS 56 </SNIP> -elz ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- gen-msg.map missing some SIDs for dcerpc2 Jeremy Hoel (Nov 21)
- Re: gen-msg.map missing some SIDs for dcerpc2 Jefferson, Shawn (Nov 21)
- Re: gen-msg.map missing some SIDs for dcerpc2 Jeremy Hoel (Nov 21)
- Re: gen-msg.map missing some SIDs for dcerpc2 waldo kitty (Nov 22)
- Re: gen-msg.map missing some SIDs for dcerpc2 Jeremy Hoel (Nov 21)
- <Possible follow-ups>
- Re: gen-msg.map missing some SIDs for dcerpc2 Jefferson, Shawn (Nov 21)
- Re: gen-msg.map missing some SIDs for dcerpc2 Joel Esler (Nov 22)
- Re: gen-msg.map missing some SIDs for dcerpc2 Jeremy Hoel (Nov 22)
- Re: gen-msg.map missing some SIDs for dcerpc2 beenph (Nov 22)
- Re: gen-msg.map missing some SIDs for dcerpc2 Joel Esler (Nov 22)
- Re: gen-msg.map missing some SIDs for dcerpc2 waldo kitty (Nov 22)
- Re: gen-msg.map missing some SIDs for dcerpc2 Joel Esler (Nov 22)
- Re: gen-msg.map missing some SIDs for dcerpc2 Jefferson, Shawn (Nov 21)