Question

[Joe Hdez <moncher76 () yahoo com>]

Hi, Mhh I would like to know if this signature is gonna work if I remove the line byte_test:2,>,1024,0,relative,little 
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; 
flow:to_server,established; =
content:"|00|"; offset:0; depth:1; content:"|ff 53 4d 42 32|"; offset:4; =
depth:5; content:"|00 14|"; offset:60; depth:2; = byte_test:2,>,1024,0,relative,little; reference:cve,CAN-2003-0201; =
reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; =
classtype:attempted-admin; sid:2103; rev:2;) I ask this because it´s not working with snort 1.9.1 through snortcenter, 
it doesn´t have that field. I´d appreciate your help, Joe 

"Courage is resistance to fear, mastery of fear, not absence of fear." -- Mark Twain


---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more