[Snort-users] Strange Alert

Todd Wease twease at ...1935...
Wed Feb 10 09:03:39 EST 2010

On 02/10/2010 08:54 AM, Jens Link wrote:
> Nigel Houghton<nhoughton at ...1935...>  writes:
>> Then if you look in the doc directory (it's in the distribution, look
>> for it) you will find the document that accompanies this event, it is
>> named 133-34.txt. (I thought the gid-sid.txt naming convention might be
>> helpful)
> Thanks for your help Nigel,
> apparently there is no doc/signatures directory in the
> tarball. There is one in the tarball though. I guess that's why
> I couldn't find it.
> cheers,
> Jens


Take a look in doc/README.dcerpc2 for an explanation of that event.  
It's meant to try to identify evasions where a request is fragmented 


More information about the Snort-users mailing list