Snort mailing list archives
Help with pass rule
From: "Carlton L. Whitmore" <cwhitmore () Advocacyinc org>
Date: Wed, 1 Sep 2004 11:48:18 -0500
Joel was nice enough to help me with this rule, but it doesn't seem to be blocking the notifications. I put it in the local.rules file and made sure that rule is active in the snort.conf file. I also restarted the snort service. What else do I need to do? ( I'm trying to block these false notifications that are originating from the server 160.214.186.9 to any client ) (here is the notification) EVENT LOG Application EVENT TYPE Information SOURCE snort EVENT ID 1 COMPUTERNAME PE1300 TIME 9/1/2004 11:42:02 AM MESSAGE [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 160.214.186.9:2636 -> 160.214.186.45:445 (here is the rule Joel provided) pass tcp 160.214.186.9 any -> $HOME_NET 137:445 (msg:"netbios pass servertoclient";)
Current thread:
- help with pass rule Scott Elgram (Jul 01)
- Re: help with pass rule sekure (Jul 01)
- Re: help with pass rule Scott Elgram (Jul 01)
- Re: help with pass rule sekure (Jul 01)
- Re: help with pass rule Scott Elgram (Jul 01)
- Re: help with pass rule Scott Elgram (Jul 01)
- Re: help with pass rule sekure (Jul 01)
- Re: help with pass rule Keith W. McCammon (Jul 01)
- <Possible follow-ups>
- Help with pass rule Carlton L. Whitmore (Sep 01)
- Re: Help with pass rule sekure (Sep 01)
- Re: Help with pass rule prabu (Sep 01)
- Re: Help with pass rule sekure (Sep 02)
- Re: Help with pass rule prabu (Sep 02)
- Re: Help with pass rule sekure (Sep 03)
- E-mail alerting Carlos M Ospina (Sep 03)
- Re: E-mail alerting Keith W. McCammon (Sep 03)
- Re: E-mail alerting prabu (Sep 03)
- RE: E-mail alerting Andy (Sep 12)
- Re: E-mail alerting prabu (Sep 13)
- Re: Help with pass rule sekure (Sep 01)