[Snort-users] Smb output

Joshua Berry jberry at ...11848...
Thu Jul 22 06:36:10 EDT 2004


Frank Knobbe wrote:
> On Wed, 2004-07-21 at 17:13, Michael Sconzo wrote:
>>Ok, if you re-wrote smbclient (or at least the part that does the
>>WinPopUp stuff),
> 
> 
> No, no. I'm saying don't use smbclient at all. Have Snort populate a
UDP
> packet and send it out. 

>>   That could be an option. But...

>>Then that gets into duplicating work etc ... but if you or somebody
>>else does it, I wouldn't complain either, and would probably use it.
> 
> Heh... I don't even have much time at the moment to work on Snortsam.
:(
> And since I don't use the SMB alert, there is no incentive for me
> either. Speaking of Snortsam, I'm doing something very similar there.

>>...no one is interested in rewriting this.

>>   And one more thing. How many WinPopUp windows you gonna find after 
>>you've been out for just one hour (e.g. having lunch)? Personally I 
>>wouldn't want to deal with several hundred open windows at once. :)

If someone were to rewrite it I think it would be better to follow the
flexresp method, where you can add an option to a rule to send a
WinPopUp on alerts that are most important to you.  That way analysts
wouldn't be inundated with the WinPopUp's.




More information about the Snort-users mailing list