Snort mailing list archives
Re: NETBIOS nimda.eml
From: Erek Adams <erek () snort org>
Date: Wed, 22 Oct 2003 13:45:36 -0400 (EDT)
On Wed, 22 Oct 2003, Paul Lane wrote:
This rule is generating lots of alerts on my network; "alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; content:"|00|.|00|E|00|M|00|L"; flow:to_server,established; classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml; sid:1293; rev:8;); The source IP is an Exchange 2000 server and the destination IP is a file server. I've made sure that these boxes are patched and the virus dat file are current. Can I modify this rule and cut down on the alerts its generating?
You can ignore it all together using a BPF filter or a pass rule, or you can use thresholding to cut down on the number of alerts. Check README.thresholding in the /docs directory, but basically something like this: config threshold: memcap 3000000 threshold gen_id 1, sig_id 1293, type both, track by_src, count 30, seconds 60 Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NETBIOS nimda.eml Paul Lane (Oct 22)
- Re: NETBIOS nimda.eml Erek Adams (Oct 22)
- Re: NETBIOS nimda.eml Jason Haar (Oct 22)