Snort mailing list archives
Help with pass rule
From: "Carlton L. Whitmore" <cwhitmore () Advocacyinc org>
Date: Wed, 1 Sep 2004 11:48:18 -0500
Joel was nice enough to help me with this rule, but it doesn't seem to
be blocking the notifications. I put it in the local.rules file and made
sure that rule is active in the snort.conf file. I also restarted the
snort service. What else do I need to do?
( I'm trying to block these false notifications that are originating
from the server 160.214.186.9 to any client )
(here is the notification)
EVENT LOG
Application
EVENT TYPE
Information
SOURCE
snort
EVENT ID
1
COMPUTERNAME
PE1300
TIME
9/1/2004 11:42:02 AM
MESSAGE
[1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
overflow attempt [Classification: Attempted Administrator Privilege
Gain] [Priority: 1]: {TCP} 160.214.186.9:2636 -> 160.214.186.45:445
(here is the rule Joel provided)
pass tcp 160.214.186.9 any -> $HOME_NET 137:445 (msg:"netbios pass
servertoclient";)
Current thread:
- help with pass rule Scott Elgram (Jul 01)
- Re: help with pass rule sekure (Jul 01)
- Re: help with pass rule Scott Elgram (Jul 01)
- Re: help with pass rule sekure (Jul 01)
- Re: help with pass rule Scott Elgram (Jul 01)
- Re: help with pass rule Scott Elgram (Jul 01)
- Re: help with pass rule sekure (Jul 01)
- Re: help with pass rule Keith W. McCammon (Jul 01)
- <Possible follow-ups>
- Help with pass rule Carlton L. Whitmore (Sep 01)
- Re: Help with pass rule sekure (Sep 01)
- Re: Help with pass rule prabu (Sep 01)
- Re: Help with pass rule sekure (Sep 02)
- Re: Help with pass rule prabu (Sep 02)
- Re: Help with pass rule sekure (Sep 03)
- E-mail alerting Carlos M Ospina (Sep 03)
- Re: E-mail alerting Keith W. McCammon (Sep 03)
- Re: E-mail alerting prabu (Sep 03)
- RE: E-mail alerting Andy (Sep 12)
- Re: E-mail alerting prabu (Sep 13)
- Re: Help with pass rule sekure (Sep 01)