[Snort-devel] Re: New RPC Fix Causes many false alarms
cpw at ...117...
Mon Mar 10 10:14:20 EST 2003
On Mon, Mar 10, 2003 at 10:05:32AM -0500, Chris Green wrote:
> Phil Wood <cpw at ...117...> writes:
> > -rty, Chris, and Company,
> > Well, I could not jumpstart on a pr0gramming project this Saturday, so instead
> > I cobbled up a patch to spp_rpc_decode.c so one can configure source ports to
> > ignore.
> > To ignore tcp rpc packets with a source ports of 80 and 443:
> Hrm, need to do this and couple it instead with the stream4 type "is
> client side?" type junk so that
> nc -p 80 host 111 doesn't evade
I guess I don't understand the code. I thought the preprocessor had already
made up it's mind that the packet was evil, when in fact it was just some
> Good idea however.
> Chris Green <cmg at ...402...>
> Let not the sands of time get in your lunch.
Phil Wood, cpw at ...86...
More information about the Snort-devel