[Snort-users] Smb output

Michael Sconzo msconzo at ...5072...
Wed Jul 21 15:14:02 EDT 2004


On Wed, Jul 21, 2004 at 04:55:25PM -0500, Frank Knobbe wrote:
> 
> As I said, looks like the output plugin could be optimized where the
> admin supplies not only the IP address but also the NetBIOS name of the
> system to be contacted. All Snort would need to do is populate a UDP
> packet and throw it on the wire (without calling smbclient).

Ok, if you re-wrote smbclient (or at least the part that does the
WinPopUp stuff), then yes, you could probably speed it up.  But
then you need to get the NetBIOS name out of something etc ... and
calling the external programs via a script or something in a low
traffic environment doesn't cause any loss, and in a high traffic/alert
environment ... that's a not of WinPopUps.  All I know is I'm not
gonna volunteer to rewrite smbclient (I'm not that sadistic) [waits
for holy war to start] :)

Then that gets into duplicating work etc ... but if you or somebody
else does it, I wouldn't complain either, and would probably use it.

-=Mike

> 
> 
> Regards,
> Frank
> 



-- 
The New Testament offers the basis for modern computer coding theory,
in the form of an affirmation of the binary number system.
        But let your communication be Yea, yea; nay, nay: for
        whatsoever is more than these cometh of evil.
                -- Matthew 5:37




More information about the Snort-users mailing list