[Snort-sigs] Netbios rules are case sensitive?

Jon Stearn jon at ...1490...
Thu May 1 05:41:24 EDT 2003


On the port 445 issue, this is something that seems to crop up periodically.
I remember some talk  about working n definitive rules bit nothing seems to
have come of it.

I've simply run through the existing rules substituting 445 for 139: works
for me. Anyone have a better approach?

j

> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of Jason Haar
> Sent: 30 April 2003 23:08
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Netbios rules are case sensitive?
>
>
> I've just noticed that the Nimda rules are case sensitive - should that be
> the case?
>
> e.g.
>
> alert tcp any any -> any 139 (msg:"NETBIOS nimda .eml";
> content:"|00|.|00|E|00|M|00|L"; flow:to_server,established;
> classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml;
> sid:1293; rev:8;)
>
>
> That'll catch "test.EML", but it won't catch "test.eml|test.emL" - even
> though they are all ".eml" according to Windows applications...
>
> Shouldn't "nocase" be in them?
>
> Also, there are no port 445 versions of these rules - shouldn't there be?
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list