Snort mailing list archives

RE: Help with pass rule

From: "Harper, Patrick" <patrick.harper () phns com>
Date: Wed, 1 Sep 2004 13:43:50 -0500

You have to restart with a -o 

-----Original Message-----
From: Carlton L. Whitmore [mailto:cwhitmore () Advocacyinc org] 
Sent: Wednesday, September 01, 2004 10:48 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Help with pass rule

Joel was nice enough to help me with this rule, but it doesn't seem to
be blocking the notifications. I put it in the local.rules file and made
sure that rule is active in the snort.conf file. I also restarted the
snort service. What else do I need to do?

( I'm trying to block these false notifications that are originating
from the server 160.214.186.9 to any client )

(here is the notification)

EVENT LOG

Application

EVENT TYPE

Information

SOURCE

snort

EVENT ID

1

COMPUTERNAME  

PE1300

TIME

9/1/2004 11:42:02 AM

MESSAGE

[1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
overflow attempt [Classification: Attempted Administrator Privilege
Gain] [Priority: 1]: {TCP} 160.214.186.9:2636 -> 160.214.186.45:445 

(here is the rule Joel provided)

pass tcp 160.214.186.9 any -> $HOME_NET 137:445 (msg:"netbios pass

servertoclient";)

Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended 
recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by 
applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have 
received this message in error, please delete it and notify the sender immediately. 

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: E-mail alerting, (continued)
- - - Re: E-mail alerting prabu (Sep 03)
    - RE: E-mail alerting Andy (Sep 12)
    - Re: E-mail alerting prabu (Sep 13)
    - RE: E-mail alerting Andy (Sep 18)
    - RE: E-mail alerting Andy (Sep 18)
    - RE: E-mail alerting Andy (Sep 18)
    - RE: E-mail alerting Andy (Sep 18)
    - RE: E-mail alerting Andy (Sep 19)
    - RE: E-mail alerting Andy (Sep 19)
    - Re: E-mail alerting Jason (Sep 18)
- RE: Help with pass rule Harper, Patrick (Sep 01)
  - my sql support in php sEc nErD (Sep 01)
    - Re: my sql support in php Sean Brown (Sep 01)
    - Re: my sql support in php James Riden (Sep 01)