[Snort-users] Help with pass rule

sekure sekure at ...11827...
Wed Sep 1 11:17:34 EDT 2004


Carlton,

A better solution would be to add the following to your threshold.conf:
suppress gen_id 1, sig_id 2405, track by_src, ip 160.214.186.9

That way only THAT particular rule will be ignored, but the rest of
the traffic between those hosts on those ports will still be analyzed
for OTHER exploits..

Read up on suppress and threshold.  They offer a much more precise way
to deal with unwanted alerts without compromising the visibility into
your network.

----- Original Message -----
From: Carlton L. Whitmore <cwhitmore at ...12165...>
Date: Wed, 1 Sep 2004 11:48:18 -0500
Subject: [Snort-users] Help with pass rule
To: snort-users at lists.sourceforge.net




Joel was nice enough to help me with this rule, but it doesn't seem to
be blocking the notifications. I put it in the local.rules file and
made sure that rule is active in the snort.conf file. I also restarted
the snort service. What else do I need to do?

( I'm trying to block these false notifications that are originating
from the server 160.214.186.9 to any client )


 

 

 

(here is the notification)

 

 


EVENT LOG

Application


EVENT TYPE

Information


SOURCE

snort


EVENT ID

1


COMPUTERNAME  

PE1300


TIME

9/1/2004 11:42:02 AM


MESSAGE

[1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
overflow attempt [Classification: Attempted Administrator Privilege
Gain] [Priority: 1]: {TCP} 160.214.186.9:2636 -> 160.214.186.45:445

 

 

(here is the rule Joel provided)

pass tcp 160.214.186.9 any -> $HOME_NET 137:445 (msg:"netbios pass

servertoclient";)




More information about the Snort-users mailing list