[Snort-users] Help with pass rule

Carlton L. Whitmore cwhitmore at ...12125...
Wed Sep 1 09:49:16 EDT 2004


Joel was nice enough to help me with this rule, but it doesn't seem to
be blocking the notifications. I put it in the local.rules file and made
sure that rule is active in the snort.conf file. I also restarted the
snort service. What else do I need to do?

( I'm trying to block these false notifications that are originating
from the server 160.214.186.9 to any client )

 

 

 

(here is the notification)

 

 

EVENT LOG

Application

EVENT TYPE

Information

SOURCE

snort

EVENT ID

1

COMPUTERNAME  

PE1300

TIME

9/1/2004 11:42:02 AM

MESSAGE

[1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
overflow attempt [Classification: Attempted Administrator Privilege
Gain] [Priority: 1]: {TCP} 160.214.186.9:2636 -> 160.214.186.45:445 

 

 

(here is the rule Joel provided)

pass tcp 160.214.186.9 any -> $HOME_NET 137:445 (msg:"netbios pass

servertoclient";)

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040901/2cfd862b/attachment.html>


More information about the Snort-users mailing list