[Snort-users] Help with pass rule

sekure sekure at ...11827...
Thu Sep 2 08:01:08 EDT 2004


Prabu,

The orignal message included the following alert:

> > [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
> > overflow attempt [Classification: Attempted Administrator Privilege
> > Gain] [Priority: 1]: {TCP} 160.214.186.9:2636 -> 160.214.186.45:445

The sid is 2404, so my initial post was correct. 
Sid 2505 is " WEB-PHP phptest.php access"

But this does bring up an interesting point.  Carlton, a lot of the
windows rules have two versions, one for SMB over NBT (port 139) and
one for SMB over TCP/IP (port 445).  So if you are going to be
suppressing rules, make sure you suppress them both, if they are both
popping up.  The other sid is 2403 " NETBIOS SMB Session Setup AndX
request unicode username overflow attempt".

It's a subtle difference and i've been caught dumfounded more than
once, after suppressing one rule, seeing the other, but not realizing
it and thinking snort was somehow broken.

good luck

On Thu, 2 Sep 2004 09:54:09 +0530, prabu <prabu333 at ...8908...> wrote:
> Hi,
>     I guess that correct sig_id suppose for thar rule to be 2404,instead of
> 2405.
> 
> So the suppress command should be as
> suppress gen_id 1, sig_id 2404, track by_src, ip 160.214.186.9
> instead of;
> suppress gen_id 1, sig_id 2405, track by_src, ip 160.214.186.9
> 
> 
> Cheers,
> Prabu.S




More information about the Snort-users mailing list