[Snort-users] Snort SMB

Paulo Filipe Mira paulo.mira at ...5092...
Thu Aug 22 09:11:02 EDT 2002


Assuming a *nix snort box:

You do have to have samba installed and working properly,
as the alert is sent through the 'smbclient' program;
see spo_alert_smb.c, line 246 sends the alert through:

snprintf(command_line, 2047,
                        "echo \"%s\" | smbclient -U Snort -M %s",
                        tempmsg, tempwork);

Be careful because those winpopup messages can get very anoying
on a busy network.

Paulo Filipe Mira
SA
Soquímica
paulo.mira at ...5092...
Tel: +351 21 716 51 60
Fax: +351 21 716 51 69



> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
> Spangberg,
> Henrik
> Sent: quinta-feira, 22 de Agosto de 2002 12:47
> To: Snort-Users (E-mail)
> Cc: Snort-Users (E-mail)
> Subject: RE: [Snort-users] Snort SMB
>
>
> Jepp,
> That's right. I'm asking about samba ALERT, i.e. a winpopup dialog.
>
> // Henrik S
>
> -----Original Message-----
> From: David Yip [mailto:dy at ...6387...]
> Sent: den 22 August 2002 13:32
> To: "Sundström, Tomas"
> Cc: 'Spangberg, Henrik'; Snort-Users (E-mail)
> Subject: RE: [Snort-users] Snort SMB
>
>
> I think he is asking about samba ALERT, i.e. a winpopup
> dialog box, i think.
>
> At 18:31 22/8/2002, Sundström, Tomas wrote:
>
>
> Hi,
>
> pass udp $HOME_NET 137:138 <> $HOME_NET 137:138 (msg:"AcceptNetbios";
> sid:100002
> 7;)
>
> you choose wheter you pass, alert, log, react to this match.
> This rule only applies on local "broadcasts" sent from
> windows mashines but
> also for samba enabled servers.
>
> Rgds. Tomas
>
> -----Original Message-----
> From: Spangberg, Henrik [mailto:Henrik.Spangberg at ...6584...]
> Sent: den 22 augusti 2002 11:25
> To: Snort-Users (E-mail)
> Subject: [Snort-users] Snort SMB
>
> Hello,
> Does annybody now where to find inforamtion how to configure
> SNORT wtih smb
> alert.
> Does SAMBA have to be installed?
> >>No
>
> Most kind regards Henrik
>
> **************************************************************
> ********
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender either by telephone or by e-mail and delete the material
> from any computer. Thank you for your cooperation.
>
> This footnote also confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
>
> www.borealisgroup.com
> **************************************************************
> ********
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
>
> David Yip
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=urceforge1&refcode1=3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
>






More information about the Snort-users mailing list