Honeypots mailing list archives
Re: snort inline doesn't seem to drop malicious traffic
From: "Alexander Meyer (spot-media AG)" <meyer () spot-media de>
Date: Tue, 29 Jul 2003 13:48:14 +0200
On Die, 29 Juli 2003 09:29:07 +0200, Stephan Scholz wrote:
are you sure you are using the right ruleset ? The rules need to be converted from target "alert" to "drop".
i'm pretty sure about that because i took the drop-ruleset that was published on the honeynet website. the rule in question is this one: drop tcp $HONEYNET any -> $EXTERNAL_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|ff 53 4d 42 32|"; offset:4; depth:5; content:"|00 14|"; offset:60; depth:2; byte_test:2,>,1024,0,relative,little; reference:cve,CAN-2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:2;) i also did some testing with the test rules that come with the current snort inline toolkit and they worked fine (except that one replace rule that should change "com" to "org" in dns traffic but i didn't expect the replace rules to be perfect anyway). the strange thing about the netbios rule is that it seems to apply correctly (the alert shows up in the logs) only the packets aren't dropped. i'm really getting kind of confused about this. alexander. -- spot-media AG Alexander Meyer Systemadministrator Lange Reihe 2 20099 Hamburg Fon: 040-248 28 711 Fax: 040-248 28 880 www.spot-media.de mailto:meyer () spot-media de Key ID: FA4FC80C
Current thread:
- snort inline doesn't seem to drop malicious traffic Alexander Meyer (spot-media AG) (Jul 28)
- Re: snort inline doesn't seem to drop malicious traffic Stephan Scholz (Jul 29)
- Re: snort inline doesn't seem to drop malicious traffic Alexander Meyer (spot-media AG) (Jul 29)
- Re: snort inline doesn't seem to drop malicious traffic Stephan Scholz (Jul 29)
- Re: snort inline doesn't seem to drop malicious traffic Alexander Meyer (spot-media AG) (Jul 29)
- Re: snort inline doesn't seem to drop malicious traffic Stephan Scholz (Jul 29)