The ones you have listed nebulus look pretty much 'canned' rules. ;)
Cheers:
Printable View
The ones you have listed nebulus look pretty much 'canned' rules. ;)
Cheers:
Figured it was, but thought i would add them anyway.
Neb:
If you look at them carefully they all look for something more specific that a simple NetBIOS connection. It's either administrative share access, viruses accessing shares and transferring themselves or whatever.
It really wouldn't help to be logging every transaction of this type on a larger network.... The alerts would be horrendous.
Well, seeing that I don't allow it on my LAN at home, it would be acceptible. It could also be useful to see in your DMZ zones assuming you don't allow it to be used out to the internet. I know the sigantures (the stock ones) are looking at specific content, that was more or less the point of saying 'hey, if someone that uses this more wants to add some filters, ie by looking at netbios content to look at something specific, then it wouldn't alarm as much as my original suggestion'.Quote:
Originally posted here by Tiger Shark
Neb:
If you look at them carefully they all look for something more specific that a simple NetBIOS connection. It's either administrative share access, viruses accessing shares and transferring themselves or whatever.
It really wouldn't help to be logging every transaction of this type on a larger network.... The alerts would be horrendous.
Anyway, hope you guys follow, I think I am about to give up explaining why I said what I did :)