[Snort-sigs] Sig Not Firing

Nigel Houghton nhoughton at ...435...
Tue Jul 7 16:22:46 EDT 2009


Total shot in the dark here, let me just cut up your message to see if
I can find something....

On Tue, Jul 7, 2009 at 3:17 PM, Bill Scherr IV<bschnzl at ...3374...> wrote:
> Hi Folks...
>
> Why wont this rule fire???
>
> Here is the rule:
> alert tcp $EXTERNAL_NET ANY -> $HOME_NET 1024:2048 (msg:"NETBIOS DCERPC

hmm, checking those ports..

> #
> preprocessor dcerpc2: \
>    memcap 100000
>    preprocessor dcerpc2_server: default, policy WinXP, \
>    detect tcp [135,139,445,1025:2048]

Don't quite line up.

> Transmission Control Protocol, Src Port: 1063 (1063), Dst Port: 1024 (1024), Seq: 1, Ack: 1, Len:

Yep.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-sigs mailing list