[Snort-users] Question

Joe Hdez moncher76 at ...131...
Fri Apr 11 15:56:05 EDT 2003


Hi, Mhh I would like to know if this signature is gonna work if I remove the line byte_test:2,>,1024,0,relative,little alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; =
content:"|00|"; offset:0; depth:1; content:"|ff 53 4d 42 32|"; offset:4; =
depth:5; content:"|00 14|"; offset:60; depth:2; = byte_test:2,>,1024,0,relative,little; reference:cve,CAN-2003-0201; =
reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; =
classtype:attempted-admin; sid:2103; rev:2;) I ask this because it´s not working with snort 1.9.1 through snortcenter, it doesn´t have that field. I´d appreciate your help, Joe 

"Courage is resistance to fear, mastery of fear, not absence of fear." -- Mark Twain


---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030411/d24f55fb/attachment.html>


More information about the Snort-users mailing list