Re: Strange Alert

[Dirk Geschke <Dirk_Geschke () genua de>]

Hi Jens,

> I have a snort (2.8.5.2) setup here using barnyard (2.1.7) and base
> (1.4.4). Everything works as expected except for one alert which shows
> up on base:
>
> [snort]    Snort Alert [133:34:0]    unclassified 
>
> I greped /etc/snort and the source and didn't find anything. Any ideas?

I think it is the DCE2 preprocessor (src/generators.h):

#define GENERATOR_DCE2                              133

and there 

#define     DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG     34

which is used in src/dynamic-preprocessors/dcerpc2/dce2_event.c:

  {
      DCE2_EVENT_FLAG__CO,
      DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG,
      "Connection-oriented DCE/RPC - %s: Fragment length on non-last fragment (%u) less than "
          "maximum negotiated fragment transmit size for client (%u)"
  },

Just my 2ct...

Best regards

Dirk

-- 
Dr. Dirk Geschke - Tel.: +49-(0)-89-991950-131 
GeNUA Gesellschaft für Netzwerk- und Unix-Administration mbH
Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de
Tel: (089) 99 19 50 - 0, Fax: (089) 99 10 50 - 999
Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht München HRB 98238 

------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users