Snort mailing list archives

Re: Re: Noob

From: Brian Caswell <bmc () snort org>
Date: Fri, 24 Dec 2004 17:37:37 -0500

On Dec 23, 2004, at 2:31 PM, Brian Stamper wrote:

I have 10 unique alerts largest below:
75 - protocol-command-decode - NETBIOS SMB winreg Unicode access

registry access happens quite a bit on microsoft networks. Eitherconfigure your homenet/external_net appropriately, or add aflowbits:noalert; to the rule still work where needed, but not generatealerts.

30 - protocol-command-decode - NETBIOS SMB IPC$ share Unicode access

This is fairly normal traffic. The next revision of the rule will havea flowbits:noalert. DO NOT TURN THIS RULE OFF if you expect any ofcomplicated samba rules to work.

21 - attempted-admin - NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt

what rev of the rule are you using? Early versions had false positiveissues.


Brian



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.

Discover which products truly live up to the hype. Start reading now.http://productguide.itmanagersjournal.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Noob Brian Stamper (Dec 22)
- Re: Noob Tim Slighter (Dec 22)
- <Possible follow-ups>
- Re: Noob Brian Stamper (Dec 23)
  - RE: Re: Noob Bob Konigsberg (Dec 23)
  - Re: Re: Noob Brian Caswell (Dec 24)
- RE: Re: Noob Brian Stamper (Dec 23)
  - RE: Re: Noob Bob Konigsberg (Dec 23)
    - Re: Re: Noob J-H Johansen (Dec 23)
- RE: Re: Noob Brian Stamper (Dec 23)
  - RE: Re: Noob Frank Knobbe (Dec 23)
- RE: Re: Noob Brian Stamper (Dec 23)