[Snort-users] Help with pass rule

prabu prabu333 at ...8908...
Thu Sep 2 23:31:11 EDT 2004


Hello Sekure,
            It was good response with lot of pratical informations for using
the Windows Rules.Great !!!!!!!

But,coming back to point,
   It was You ,who wrote that sig_id is 2405.
   I corrected it as 2404.But,now u r talking in the otherway,the
vise-versa.

Look at my reply
cut and paste of my mail:
> On Thu, 2 Sep 2004 09:54:09 +0530, prabu <prabu333 at ...8908...> wrote:
> > Hi,
> >     I guess that correct sig_id suppose for thar rule to be 2404,instead
of
> > 2405.
> >
> > So the suppress command should be as
> > suppress gen_id 1, sig_id 2404, track by_src, ip 160.214.186.9
> > instead of;
> > suppress gen_id 1, sig_id 2405, track by_src, ip 160.214.186.9
> >

Have a look at your first reply:
Carlton,

A better solution would be to add the following to your threshold.conf:
suppress gen_id 1, sig_id 2405, track by_src, ip 160.214.186.9


Now,it may be clear to you.My intension was not to critisis you ,but to give
the correct information to the list.


Cheers,
prabu.S





----- Original Message ----- 
From: "sekure" <sekure at ...11827...>
To: "prabu" <prabu333 at ...8908...>
Cc: "Carlton L. Whitmore" <cwhitmore at ...12165...>;
<snort-users at lists.sourceforge.net>
Sent: Thursday, September 02, 2004 8:30 PM
Subject: Re: [Snort-users] Help with pass rule


> Prabu,
>
> The orignal message included the following alert:
>
> > > [1:2404:5] NETBIOS SMB-DS Session Setup AndX request unicode username
> > > overflow attempt [Classification: Attempted Administrator Privilege
> > > Gain] [Priority: 1]: {TCP} 160.214.186.9:2636 -> 160.214.186.45:445
>
> The sid is 2404, so my initial post was correct.
> Sid 2505 is " WEB-PHP phptest.php access"
>
> But this does bring up an interesting point.  Carlton, a lot of the
> windows rules have two versions, one for SMB over NBT (port 139) and
> one for SMB over TCP/IP (port 445).  So if you are going to be
> suppressing rules, make sure you suppress them both, if they are both
> popping up.  The other sid is 2403 " NETBIOS SMB Session Setup AndX
> request unicode username overflow attempt".
>
> It's a subtle difference and i've been caught dumfounded more than
> once, after suppressing one rule, seeing the other, but not realizing
> it and thinking snort was somehow broken.
>
> good luck
>
> On Thu, 2 Sep 2004 09:54:09 +0530, prabu <prabu333 at ...8908...> wrote:
> > Hi,
> >     I guess that correct sig_id suppose for thar rule to be 2404,instead
of
> > 2405.
> >
> > So the suppress command should be as
> > suppress gen_id 1, sig_id 2404, track by_src, ip 160.214.186.9
> > instead of;
> > suppress gen_id 1, sig_id 2405, track by_src, ip 160.214.186.9
> >
> >
> > Cheers,
> > Prabu.S


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.747 / Virus Database: 499 - Release Date: 9/1/2004






More information about the Snort-users mailing list