[Snort-devel] Re: New RPC Fix Causes many false alarms

Phil Wood cpw at ...117...
Mon Mar 10 10:14:20 EST 2003


On Mon, Mar 10, 2003 at 10:05:32AM -0500, Chris Green wrote:
> Phil Wood <cpw at ...117...> writes:
> 
> > -rty, Chris, and Company,
> >
> > Well, I could not jumpstart on a pr0gramming project this Saturday, so instead
> > I cobbled up a patch to spp_rpc_decode.c so one can configure source ports to
> > ignore.
> >
> > To ignore tcp rpc packets with a source ports of 80 and 443:
> 
> Hrm, need to do this and couple it instead with the stream4 type "is
> client side?" type junk so that
> 
> nc -p 80 host 111 doesn't evade

I guess I don't understand the code.  I thought the preprocessor had already
made up it's mind that the packet was evil, when in fact it was just some
http drivel.

> 
> Good idea however. 
> -- 
> Chris Green <cmg at ...402...>
> Let not the sands of time get in your lunch.

-- 
Phil Wood, cpw at ...86...





More information about the Snort-devel mailing list