Problem with honeywall (roo)

[Ivica Maric <imaravk () gmail com>]

Hi all!

I made small honeynet with one honeywall (latest roo edition) and two 
honeypots (one w2k without patches, another Red Hat Linux 7.3 also 
without patches). I have little problems with that w2k honeypot - I get 
all the time this alert: NETBIOS SMB IPC$ unicode share access. OK, i 
first searched web and foud solution: in /etc/snort/snort.conf i changed 
variable HOME_NET to the range of home network and the variable 
EXTERNAL_NET to any. Rule NETBIOS SMB IPC$ unicode share access using 
this two variables so i tought that will fix my problem. But that does 
not fixed my problem. OK, this rule is not something to worry about so i 
decided to remove this rule from /etc/snort/rules. I "greped" and 
deleted this rule, restarted system and i see this rule right now :(

Can anyone help me with this? i have 150-200 equal alarms per hour and 
that drives me crazy. Thank you all for your help!


Ivica Maric
Undergraduate student
Faculty of Electrical Engeneering and Computing (www.fer.hr)
Zagreb
Croatia