[Snort-sigs] Netbios rules are case sensitive?
Jason.Haar at ...651...
Thu May 8 18:49:04 EDT 2003
On Sun, May 04, 2003 at 01:03:18PM -0400, Brian wrote:
> Nope. The SMB rules need work. We know this. Up until recently, I
> didn't have much time to dedicate to that task. Tackling SMB is one of
> the major tasks on my list that I should be accomplishing this summer.
> Look for big changes in netbios.rules soon.
FYI: Enabling the Nimda rules on port 445 in our Active Directory-based
network has lead to a slight increase in FPs. The domain controllers are
triggering FPs due to Active Directory (over SMB port 445) synchronizing our
Exchange data - stuff like "CN=RECIPIENTS/CN=...EML" from within Exchange
In the end, the proper way to do all this would be with a SMB preprocessor I
suppose - so that file actions can be differentiated from other RPC actions
(like the above).
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs