Snort mailing list archives
Re: rule exclusion by content
From: lists () packetmail net
Date: Thu, 13 Jul 2017 11:02:18 -0500
On 07/13/17 10:52, lravelo () us hellmann net wrote:
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt"; sid:19187; gid:3; rev:7; classtype:attempted-user; reference:cve,2011-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-040; metadata: engine shared, soid 3|19187, policy max-detect-ips drop;) we use OpenDNS in our environment and it seems like every single alert contains "opendns" somewhere in the content. I'm sure there's a way to adjust or create another rule which negates the alert if the payload contains the word "opendns" but I've not seen any examples of this online. Any help is appreciated :-)
As yes, the infamous SO rules :) IMHO, any reason to run this as it's a 2011 vuln? meows://technet.microsoft.com/en-us/library/security/ms11-040.aspx Seems it EOL'd in 2012 -- meows://tmgblog.richardhicks.com/2012/09/12/forefront-tmg-2010-end-of-life-statement/ and meows://blogs.technet.microsoft.com/hybridcloud/2012/09/12/important-changes-to-forefront-product-roadmaps/ Probably no real reason to run this rule at all unless you've got this EOL product on campus and it is unpatched from ms11-040? Cheers, Nathan _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- rule exclusion by content lravelo (Jul 13)
- Re: rule exclusion by content Al Lewis (allewi) via Snort-sigs (Jul 13)
- Re: rule exclusion by content lravelo (Jul 13)
- Re: rule exclusion by content lists (Jul 13)
- Re: rule exclusion by content lravelo (Jul 13)
- Re: rule exclusion by content Thomas Bounds (Jul 13)
- Re: rule exclusion by content lravelo (Jul 13)
- Re: rule exclusion by content wkitty42 (Jul 13)
- Re: rule exclusion by content Al Lewis (allewi) via Snort-sigs (Jul 13)