[Snort-users] Strange Alert

Dirk Geschke Dirk_Geschke at ...1344...
Wed Feb 10 08:32:17 EST 2010


Hi Jens,

> I have a snort (2.8.5.2) setup here using barnyard (2.1.7) and base
> (1.4.4). Everything works as expected except for one alert which shows
> up on base:
> 
> [snort]    Snort Alert [133:34:0]    unclassified 
> 
> I greped /etc/snort and the source and didn't find anything. Any ideas?

I think it is the DCE2 preprocessor (src/generators.h):

#define GENERATOR_DCE2                              133

and there 

#define     DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG     34

which is used in src/dynamic-preprocessors/dcerpc2/dce2_event.c:

  {
      DCE2_EVENT_FLAG__CO,
      DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG,
      "Connection-oriented DCE/RPC - %s: Fragment length on non-last fragment (%u) less than "
          "maximum negotiated fragment transmit size for client (%u)"
  },

Just my 2ct...

Best regards

Dirk

-- 
Dr. Dirk Geschke - Tel.: +49-(0)-89-991950-131 
GeNUA Gesellschaft für Netzwerk- und Unix-Administration mbH
Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de
Tel: (089) 99 19 50 - 0, Fax: (089) 99 10 50 - 999
Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht München HRB 98238 




More information about the Snort-users mailing list