Snort mailing list archives
Re: Rule 3:13476 direction?
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Tue, 7 Sep 2010 11:40:37 -0600
Anybody from SourceFire/VRT here that can comment on this? ________________________________ From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: Wednesday, September 01, 2010 2:30 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Rule 3:13476 direction? Hi, I'm looking at a few alerts from the so_rule 3:13476, but it looks like the direction is wrong... alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC Microsoft IIS HTMLEncode Unicode string buffer overflow"; sid:13476; gid:3; rev:2; classtype:web-application-attack; reference:cve,2008-0075; reference:url,www.microsoft.com/technet/security/bulletin/ms08-006.mspx; metadata: engine shared, soid 3|13476;)
From what I can gather, this is vulnerability in IIS, but the direction of the rule above is HOME_NET to EXTERNAL_NET and the alerts that I am seeing are from a client in my network to servers on the Internet. Since I can't see into the rule, I don't really know exactly what is going on with it, but this looks to me like a rule I could disable?
(and this does not look like an attack from inside my network either...) -- Shawn
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule 3:13476 direction? Jefferson, Shawn (Sep 01)
- Re: Rule 3:13476 direction? Jefferson, Shawn (Sep 07)