[Snort-sigs] Snort 2.1.3RC1 and Rule 538 and 2470

Gary_Portnoy at ...2451... Gary_Portnoy at ...2451...
Tue May 18 09:22:05 EDT 2004

Snort 2.1.3RC1 includes an ability to trigger more than one alert on a 
single packet, which is great in my opinion, but this also introduces an 
interesting side effect.  For example a regular IPC$ access will trigger 
the correct 538 alert (NETBIOS SMB IPC$ share unicode access) and now also 
the 2470 alert (NETBIOS SMB C$ share unicode access), because after seeing 
IPC$, it'll also see the last two letters of that, C$,  in the packet.  So 
that one needs to be rewritten with pcre. I'll take a stab at it as soon 
as I get some time.

Gary Portnoy

This message is for the named person's use only. This communication is for 
informational purposes only and has been obtained from sources believed to 
be reliable, but it is not necessarily complete and its accuracy cannot be 
guaranteed. It is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation of any
transaction. Moreover, this material should not be construed to contain any
recommendation regarding, or opinion concerning, any security. It may
contain confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute, 
print, or copy any part of this message if you are not the intended 
recipient.  Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is 
authorized to state them to be the views of any such entity.

ITG Inc. reserves the right to monitor and archive all electronic 
communications through its network. 

ITG Inc. Member NASD, SIPC

More information about the Snort-sigs mailing list