Snort mailing list archives
RE: Help with pass rule
From: "Harper, Patrick" <patrick.harper () phns com>
Date: Wed, 1 Sep 2004 13:43:50 -0500
You have to restart with a -o -----Original Message----- From: Carlton L. Whitmore [mailto:cwhitmore () Advocacyinc org] Sent: Wednesday, September 01, 2004 10:48 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Help with pass rule Joel was nice enough to help me with this rule, but it doesn't seem to be blocking the notifications. I put it in the local.rules file and made sure that rule is active in the snort.conf file. I also restarted the snort service. What else do I need to do? ( I'm trying to block these false notifications that are originating from the server 160.214.186.9 to any client ) (here is the notification) EVENT LOG Application EVENT TYPE Information SOURCE snort EVENT ID 1 COMPUTERNAME PE1300 TIME 9/1/2004 11:42:02 AM MESSAGE [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 160.214.186.9:2636 -> 160.214.186.45:445 (here is the rule Joel provided) pass tcp 160.214.186.9 any -> $HOME_NET 137:445 (msg:"netbios pass servertoclient";) Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idP47&alloc_id808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: E-mail alerting, (continued)
- Re: E-mail alerting prabu (Sep 03)
- RE: E-mail alerting Andy (Sep 12)
- Re: E-mail alerting prabu (Sep 13)
- RE: E-mail alerting Andy (Sep 18)
- RE: E-mail alerting Andy (Sep 18)
- RE: E-mail alerting Andy (Sep 18)
- RE: E-mail alerting Andy (Sep 18)
- RE: E-mail alerting Andy (Sep 19)
- RE: E-mail alerting Andy (Sep 19)
- Re: E-mail alerting Jason (Sep 18)
- my sql support in php sEc nErD (Sep 01)
- Re: my sql support in php Sean Brown (Sep 01)
- Re: my sql support in php James Riden (Sep 01)