Snort mailing list archives
Question
From: Joe Hdez <moncher76 () yahoo com>
Date: Fri, 11 Apr 2003 15:55:16 -0700 (PDT)
Hi, Mhh I would like to know if this signature is gonna work if I remove the line byte_test:2,>,1024,0,relative,little alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; = content:"|00|"; offset:0; depth:1; content:"|ff 53 4d 42 32|"; offset:4; = depth:5; content:"|00 14|"; offset:60; depth:2; = byte_test:2,>,1024,0,relative,little; reference:cve,CAN-2003-0201; = reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; = classtype:attempted-admin; sid:2103; rev:2;) I ask this because it´s not working with snort 1.9.1 through snortcenter, it doesn´t have that field. I´d appreciate your help, Joe "Courage is resistance to fear, mastery of fear, not absence of fear." -- Mark Twain --------------------------------- Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more
Current thread:
- question Joe Hdez (Apr 08)
- <Possible follow-ups>
- Question Joe Hdez (Apr 08)
- Question Joe Hdez (Apr 11)
- Re: Question Brian (Apr 14)
- Question Joe Hdez (May 13)
- question Eric Garnel (May 26)
- Re: question james (May 26)
- Question Ryan Vennell (Jun 03)
- Re: Question Erek Adams (Jun 03)
- Re: Question Edin Dizdarevic (Jun 03)
- Re: Question Joerg Weber (Jun 03)
- RE: Question Schmehl, Paul L (Jun 03)
- RE: Question adam.w.hogan (Jun 03)