Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
255
Views
1
Helpful
2
Replies

ethereal or tcpdump filter for WindowsLocSrv

darin.marais
Level 4
Level 4

‎11-19-2003 02:34 AM - edited ‎03-09-2019 05:35 AM

I am busy analyzing the alarm “Windows Locator Service Overflow” with in our network. The signature says that it will trigger when with the following parameters

8 - MinMatchLength = 2000

11 - ServicePorts = 139,445

I would like to see an example of when this alarm has triggererd and then corilate that with the “iplog” capture that has been taken during the same period.

Can anyone on the list tell me what the ethereal or tcpdump filter should look like in order to filter these packets to the display?

Would eth.len > 2000 work?

Labels:
0 Helpful
2 Replies 2

klwiley
Cisco Employee
Cisco Employee

‎11-19-2003 05:09 PM

Is this on a 3.1 sensor?

darin.marais
Level 4
Level 4
In response to klwiley

‎11-20-2003 12:45 AM

it is indeed!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents