Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NETBIOS nimda.eml

From: Erek Adams <erek () snort org>
Date: Wed, 22 Oct 2003 13:45:36 -0400 (EDT)
On Wed, 22 Oct 2003, Paul Lane wrote:


This rule is generating lots of alerts on my network;

"alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml";
content:"|00|.|00|E|00|M|00|L"; flow:to_server,established;
classtype:bad-unknown;
reference:url,www.f-secure.com/v-descs/nimda.shtml; sid:1293; rev:8;);



The source IP is an Exchange 2000 server and the destination IP is a
file server. I've made sure that these boxes are patched and the virus
dat file are current.

Can I modify this rule and cut down on the alerts its generating?


You can ignore it all together using a BPF filter or a pass rule, or you
can use thresholding to cut down on the number of alerts.

Check README.thresholding in the /docs directory, but basically something
like this:

        config threshold: memcap 3000000
        threshold gen_id 1, sig_id 1293, type both, track by_src,  count
          30, seconds 60

Cheers!


-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: