Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Question for SID 17294 and SID 17407

From: rmkml <rmkml () free fr>
Date: Tue, 12 Apr 2011 16:52:28 +0200 (CEST)
Hi Mod,
The best is enable packet capture for this rules and check then...
Second rule are very short (for performance reason) but allow possible FP... (like search .hlp on parameters for 
example) {best are block ext hlp on your web proxy...}
If I remember correly, first rule are not on recommended rules...
Regards
Rmkml



On Tue, 12 Apr 2011, Mohd Mukrim Che Mohamad Zulkifly wrote:


This is the rule for SID 17294

Rule  alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DOS Microsoft Windows NAT Helper DNS query denial of service 
attempt"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|00 00|"; depth:2; offset:4; reference:bugtraq,20804; reference:cve,2006-5614; classtype:attempted-dos; 
sid:17294; rev:2; )

and this is the rule for SID

Rule  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Windows help file download request"; 
flow:to_server,established; content:".hlp"; nocase;
http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-3357; 
reference:cve,2006-4138; classtype:attempted-user; sid:17407; rev:4; )


Recently, I received alerts for those two rules

SID 17294 ( DOS Microsoft Windows NAT Helper DNS query denial of service attempt)                        5 times, all 
Impact Flag 1
SID 17407 ( WEB-CLIENT Windows help file download request )                                                           
 3 times, 1 with Impact Flag 1, others with Impact Flag 3 and 4, all blocked by RNA Recommended Rule


Because they rarely occurs, I decided to block all those as they don't seem to be significant to the network 
operation. Was it really necessary to block them?


------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Previous By Date Next
Previous By Thread Next

Current thread: