Snort mailing list archives
RE: Snort SMB
From: "Paulo Filipe Mira" <paulo.mira () soquimica pt>
Date: Thu, 22 Aug 2002 17:05:49 +0100
Assuming a *nix snort box:
You do have to have samba installed and working properly,
as the alert is sent through the 'smbclient' program;
see spo_alert_smb.c, line 246 sends the alert through:
snprintf(command_line, 2047,
"echo \"%s\" | smbclient -U Snort -M %s",
tempmsg, tempwork);
Be careful because those winpopup messages can get very anoying
on a busy network.
Paulo Filipe Mira
SA
Soquímica
paulo.mira () soquimica pt
Tel: +351 21 716 51 60
Fax: +351 21 716 51 69
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Spangberg, Henrik Sent: quinta-feira, 22 de Agosto de 2002 12:47 To: Snort-Users (E-mail) Cc: Snort-Users (E-mail) Subject: RE: [Snort-users] Snort SMB Jepp, That's right. I'm asking about samba ALERT, i.e. a winpopup dialog. // Henrik S -----Original Message----- From: David Yip [mailto:dy () davidyip com] Sent: den 22 August 2002 13:32 To: "Sundström, Tomas" Cc: 'Spangberg, Henrik'; Snort-Users (E-mail) Subject: RE: [Snort-users] Snort SMB I think he is asking about samba ALERT, i.e. a winpopup dialog box, i think. At 18:31 22/8/2002, Sundström, Tomas wrote: Hi, pass udp $HOME_NET 137:138 <> $HOME_NET 137:138 (msg:"AcceptNetbios"; sid:100002 7;) you choose wheter you pass, alert, log, react to this match. This rule only applies on local "broadcasts" sent from windows mashines but also for samba enabled servers. Rgds. Tomas -----Original Message----- From: Spangberg, Henrik [mailto:Henrik.Spangberg () borealisgroup com] Sent: den 22 augusti 2002 11:25 To: Snort-Users (E-mail) Subject: [Snort-users] Snort SMB Hello, Does annybody now where to find inforamtion how to configure SNORT wtih smb alert. Does SAMBA have to be installed?NoMost kind regards Henrik ************************************************************** ******** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender either by telephone or by e-mail and delete the material from any computer. Thank you for your cooperation. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.borealisgroup.com ************************************************************** ******** ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- David Yip ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=urceforge1&refcode1=3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort SMB Spangberg, Henrik (Aug 22)
- <Possible follow-ups>
- RE: Snort SMB Sundström, Tomas (Aug 22)
- RE: Snort SMB David Yip (Aug 22)
- RE: Snort SMB Spangberg, Henrik (Aug 22)
- RE: Snort SMB Paulo Filipe Mira (Aug 22)
- Re: Snort SMB Ueli Kistler (Aug 22)