Snort mailing list archives
Re: the better way?
From: John Friedman <jfriedmanx () yahoo com>
Date: Thu, 10 Nov 2005 08:48:32 -0800 (PST)
Ralf,
Thanks for your reply. You mean that I comment out alert line in the netbios rule of rules folder as the following
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:established,to_server;
content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative;
pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; nocase; distance:2;
flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:537; rev:14;)...
If I do not want to include netbios rule completely, what's the better way to do it?
Thanks,
John
Ralf Spenneberg <lists () spenneberg org> wrote:
Hi,
the first is not dangerous and the second is hopefully patched. You can
suppress these alerts but I would simply comment out the related rules.
Ralf
Am Donnerstag, den 10.11.2005, 07:50 -0800 schrieb John Friedman:
Hi all, I found I have lots of these alerts: 10.1.10.3 is domain controller. #2-(2-1564) [snort] NETBIOS SMB-DS IPC $ unicode share access 2005-11-10 10:36:18 10.1.12.14:4000 10.1.10.3:445 TCP #3-(2-1563) [nessus] [nessus] [cve] [icat] [bugtraq] [bugtraq] [snort] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt 2005-11-10 10:36:18 10.1.12.14:4000 10.1.10.3:445 TCP 10.1.12.14 is workstation or server IP. What's the better way to ignore these alerts? (suppress?) BTW, why does it generate many these alerts and is it dangerous? Thanks, John ______________________________________________________________________ Yahoo! FareChase - Search multiple travel sites in one click. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Ralf Spenneberg OpenSource Training http://www.opensource-training.de Webereistr. 1 48565 Steinfurt Germany ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- the better way? John Friedman (Nov 10)
- Re: the better way? Ralf Spenneberg (Nov 10)
- Re: the better way? John Friedman (Nov 10)
- Re: the better way? Ralf Spenneberg (Nov 10)
- Re: the better way? John Friedman (Nov 10)
- <Possible follow-ups>
- RE: the better way? Briggs, Bruce (Nov 10)
- Re: the better way? Ralf Spenneberg (Nov 10)