Hosting Provided By

[Snort-sigs] Netbios rules are case sensitive?

From: Jason Haar <Jason.Haar(at)trimble.co.nz>
Date: Wed Apr 30 2003 - 18:08:17 EDT

I've just noticed that the Nimda rules are case sensitive - should that be the case?

e.g.

alert tcp any any -> any 139 (msg:"NETBIOS nimda .eml"; content:"|00|.|00|E|00|M|00|L"; flow:to_server,established; classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml; sid:1293; rev:8;)

That'll catch "test.EML", but it won't catch "test.eml|test.emL" - even though they are all ".eml" according to Windows applications...

Shouldn't "nocase" be in them?

Also, there are no port 445 versions of these rules - shouldn't there be?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Received on Wed Apr 30 18:54:46 2003

This message: [ Message body ]
Next message: Jon Stearn: "RE: [Snort-sigs] Netbios rules are case sensitive?"
Previous message: Jason Haar: "Re: [Snort-sigs] False Positive on SMTP HELO Overflow"
Next in thread: Jon Stearn: "RE: [Snort-sigs] Netbios rules are case sensitive?"
Reply: Jon Stearn: "RE: [Snort-sigs] Netbios rules are case sensitive?"
Reply: Brian: "Re: [Snort-sigs] Netbios rules are case sensitive?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT