[Snort-users] Strange Alert

Todd Wease twease at ...1935...
Wed Feb 10 09:03:39 EST 2010


On 02/10/2010 08:54 AM, Jens Link wrote:
> Nigel Houghton<nhoughton at ...1935...>  writes:
>
>    
>> Then if you look in the doc directory (it's in the distribution, look
>> for it) you will find the document that accompanies this event, it is
>> named 133-34.txt. (I thought the gid-sid.txt naming convention might be
>> helpful)
>>      
> Thanks for your help Nigel,
>
> apparently there is no doc/signatures directory in the 2.8.5.2
> tarball. There is one in the 2.8.5.1 tarball though. I guess that's why
> I couldn't find it.
>
> cheers,
>
> Jens
>    

Jens,

Take a look in doc/README.dcerpc2 for an explanation of that event.  
It's meant to try to identify evasions where a request is fragmented 
unnecessarily.

Todd




More information about the Snort-users mailing list