[Snort-sigs] Netbios rules are case sensitive?

Jason Haar Jason.Haar at ...651...
Thu May 8 18:49:04 EDT 2003

On Sun, May 04, 2003 at 01:03:18PM -0400, Brian wrote:
> Nope.  The SMB rules need work.  We know this.  Up until recently, I
> didn't have much time to dedicate to that task.  Tackling SMB is one of
> the major tasks on my list that I should be accomplishing this summer.
> Look for big changes in netbios.rules soon.

FYI: Enabling the Nimda rules on port 445 in our Active Directory-based
network has lead to a slight increase in FPs. The domain controllers are
triggering FPs due to Active Directory (over SMB port 445) synchronizing our
Exchange data - stuff like "CN=RECIPIENTS/CN=...EML" from within Exchange
email addresses.

In the end, the proper way to do all this would be with a SMB preprocessor I
suppose - so that file actions can be differentiated from other RPC actions
(like the above).


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list