[Snort-users] Help with pass rule

prabu prabu333 at ...8908...
Wed Sep 1 21:25:06 EDT 2004


Hi,
     I guess that correct sig_id suppose for thar rule to be 2404,instead of
2405.

So the suppress command should be as
suppress gen_id 1, sig_id 2404, track by_src, ip 160.214.186.9
instead of;
suppress gen_id 1, sig_id 2405, track by_src, ip 160.214.186.9


Cheers,
Prabu.S


----- Original Message ----- 
From: "sekure" <sekure at ...11827...>
To: "Carlton L. Whitmore" <cwhitmore at ...12165...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, September 01, 2004 11:45 PM
Subject: Re: [Snort-users] Help with pass rule


> Carlton,
>
> A better solution would be to add the following to your threshold.conf:
> suppress gen_id 1, sig_id 2405, track by_src, ip 160.214.186.9
>
> That way only THAT particular rule will be ignored, but the rest of
> the traffic between those hosts on those ports will still be analyzed
> for OTHER exploits..
>
> Read up on suppress and threshold.  They offer a much more precise way
> to deal with unwanted alerts without compromising the visibility into
> your network.
>
> ----- Original Message -----
> From: Carlton L. Whitmore <cwhitmore at ...12165...>
> Date: Wed, 1 Sep 2004 11:48:18 -0500
> Subject: [Snort-users] Help with pass rule
> To: snort-users at lists.sourceforge.net
>
>
>
>
> Joel was nice enough to help me with this rule, but it doesn't seem to
> be blocking the notifications. I put it in the local.rules file and
> made sure that rule is active in the snort.conf file. I also restarted
> the snort service. What else do I need to do?
>
> ( I'm trying to block these false notifications that are originating
> from the server 160.214.186.9 to any client )
>
>
>
>
>
>
>
>
> (here is the notification)
>
>
>
>
>
>
> EVENT LOG
>
> Application
>
>
> EVENT TYPE
>
> Information
>
>
> SOURCE
>
> snort
>
>
> EVENT ID
>
> 1
>
>
> COMPUTERNAME
>
> PE1300
>
>
> TIME
>
> 9/1/2004 11:42:02 AM
>
>
> MESSAGE
>
> [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
> overflow attempt [Classification: Attempted Administrator Privilege
> Gain] [Priority: 1]: {TCP} 160.214.186.9:2636 -> 160.214.186.45:445
>
>
>
>
>
> (here is the rule Joel provided)
>
> pass tcp 160.214.186.9 any -> $HOME_NET 137:445 (msg:"netbios pass
>
> servertoclient";)
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.747 / Virus Database: 499 - Release Date: 9/1/2004






More information about the Snort-users mailing list