[Snort-sigs] Snort 2.1.3RC1 and Rule 538 and 2470
Gary_Portnoy at ...2451...
Gary_Portnoy at ...2451...
Tue May 18 09:22:05 EDT 2004
Snort 2.1.3RC1 includes an ability to trigger more than one alert on a
single packet, which is great in my opinion, but this also introduces an
interesting side effect. For example a regular IPC$ access will trigger
the correct 538 alert (NETBIOS SMB IPC$ share unicode access) and now also
the 2470 alert (NETBIOS SMB C$ share unicode access), because after seeing
IPC$, it'll also see the last two letters of that, C$, in the packet. So
that one needs to be rewritten with pcre. I'll take a stab at it as soon
as I get some time.
-Gary-
-------------------------------------------
Gary Portnoy
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
This message is for the named person's use only. This communication is for
informational purposes only and has been obtained from sources believed to
be reliable, but it is not necessarily complete and its accuracy cannot be
guaranteed. It is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation of any
transaction. Moreover, this material should not be construed to contain any
recommendation regarding, or opinion concerning, any security. It may
contain confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute,
print, or copy any part of this message if you are not the intended
recipient. Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is
authorized to state them to be the views of any such entity.
ITG Inc. reserves the right to monitor and archive all electronic
communications through its network.
ITG Inc. Member NASD, SIPC
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
More information about the Snort-sigs
mailing list