[Snort-users] SMB PREPROCESSOR

sec hot sechot44 at gmail.com
Mon Dec 31 16:28:44 EST 2018


attached
unfortunately i cannot add pcap because it is contains real data .
the rule trying to detect LDAP query from cli ,  for example :

net group "domain admins" /domain

On Mon, Dec 31, 2018 at 9:56 PM Al Lewis (allewi) <allewi at cisco.com> wrote:

> Can you share the rule, the conf file and pcap?
>
>
>
> It may be easier to help if you show what your working with.
>
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> Cisco Systems Inc.
>
> Email: allewi at cisco.com
>
>
>
>
>
> *From: *Snort-users <snort-users-bounces at lists.snort.org> on behalf of
> sec hot via Snort-users <snort-users at lists.snort.org>
> *Reply-To: *sec hot <sechot44 at gmail.com>
> *Date: *Monday, December 31, 2018 at 2:55 PM
> *To: *"snort-users at lists.snort.org" <snort-users at lists.snort.org>
> *Subject: *[Snort-users] SMB PREPROCESSOR
>
>
>
> Hi
>
> How preprocessor work?
>
> I create smb rule that detect content in smb packet, for some reason the
> rule is not trigger all time, i am send the same packet over and over and
> only for the third time the rule is trigger, is it related to the smb pre
> process? Why is that?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181231/c4693ec0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 27896 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181231/c4693ec0/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: local.rules
Type: application/octet-stream
Size: 1201 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181231/c4693ec0/attachment-0001.obj>


More information about the Snort-users mailing list