Re: Rule 3:13476 direction?

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Anybody from SourceFire/VRT here that can comment on this?

________________________________
From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]
Sent: Wednesday, September 01, 2010 2:30 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Rule 3:13476 direction?

Hi,

I'm looking at a few alerts from the so_rule 3:13476, but it looks like the direction is wrong...

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC Microsoft IIS HTMLEncode Unicode string buffer 
overflow"; sid:13476; gid:3; rev:2; classtype:web-application-attack; reference:cve,2008-0075; 
reference:url,www.microsoft.com/technet/security/bulletin/ms08-006.mspx; metadata: engine shared, soid 3|13476;)

> From what I can gather, this is vulnerability in IIS, but the direction of the rule above is HOME_NET to EXTERNAL_NET 
> and the alerts that I am seeing are from a client in my network to servers on the Internet.  Since I can't see into 
> the rule, I don't really know exactly what is going on with it, but this looks to me like a rule I could disable?

(and this does not look like an attack from inside my network either...)

--
Shawn


------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users