Re: Help with pass rule

[sekure <sekure () gmail com>]

Prabu,

The orignal message included the following alert:

> > [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
> > overflow attempt [Classification: Attempted Administrator Privilege
> > Gain] [Priority: 1]: {TCP} 160.214.186.9:2636 -> 160.214.186.45:445

The sid is 2404, so my initial post was correct. 
Sid 2505 is " WEB-PHP phptest.php access"

But this does bring up an interesting point.  Carlton, a lot of the
windows rules have two versions, one for SMB over NBT (port 139) and
one for SMB over TCP/IP (port 445).  So if you are going to be
suppressing rules, make sure you suppress them both, if they are both
popping up.  The other sid is 2403 " NETBIOS SMB Session Setup AndX
request unicode username overflow attempt".

It's a subtle difference and i've been caught dumfounded more than
once, after suppressing one rule, seeing the other, but not realizing
it and thinking snort was somehow broken.

good luck

On Thu, 2 Sep 2004 09:54:09 +0530, prabu <prabu333 () hotpop com> wrote:
> Hi,
>     I guess that correct sig_id suppose for thar rule to be 2404,instead of
> 2405.
>
> So the suppress command should be as
> suppress gen_id 1, sig_id 2404, track by_src, ip 160.214.186.9
> instead of;
> suppress gen_id 1, sig_id 2405, track by_src, ip 160.214.186.9
>
>
> Cheers,
> Prabu.S


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users