Re: rule exclusion by content

[lravelo () us hellmann net]

We don't use TMG at all.  If the vulnerability is only related to that 
then it's probably a better idea to disable the sid altogether.  Thanks 
for the help.

Regards,

Lazaro Ravelo
ISS Systems Engineer II

Hellmann Worldwide Logistics Inc.
10450 Doral Blvd
Doral, FL  33178
Phone:  +1 305 406 4500
Fax:  +1 305 418 4992
Direct:  +1 305 406 4574
Mobile:  +1 305 927 1386
Email:  Lazaro.Ravelo () us hellmann net
Web:  www.hellmann.com
 
THINKING AHEAD - MOVING FORWARD




From:   lists () packetmail net
To:     lravelo () us hellmann net, snort-sigs () lists snort org
Date:   07/13/2017 12:02 PM
Subject:        Re: [Snort-sigs] rule exclusion by content



On 07/13/17 10:52, lravelo () us hellmann net wrote:
> alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS TMG 
Firewall
> Client long host entry exploit attempt"; sid:19187; gid:3; rev:7;
> classtype:attempted-user; reference:cve,2011-1889;
> reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-040; 
metadata:
> engine shared, soid 3|19187, policy max-detect-ips drop;)
>
> we use OpenDNS in our environment and it seems like every single alert 
contains
> "opendns" somewhere in the content.  I'm sure there's a way to adjust or 
create
> another rule which negates the alert if the payload contains the word 
"opendns"
> but I've not seen any examples of this online.  Any help is appreciated 
:-)

As yes, the infamous SO rules :)  IMHO, any reason to run this as it's a 
2011
vuln?  meows://technet.microsoft.com/en-us/library/security/ms11-040.aspx

Seems it EOL'd in 2012 --
meows://tmgblog.richardhicks.com/2012/09/12/forefront-tmg-2010-end-of-life-statement/
and
meows://blogs.technet.microsoft.com/hybridcloud/2012/09/12/important-changes-to-forefront-product-roadmaps/

Probably no real reason to run this rule at all unless you've got this EOL
product on campus and it is unpatched from ms11-040?

Cheers,
Nathan



07/13/2017----12:02:18 PM



> Disclaimer: Please note that Internet communications are not secure and 
therefore HELLMANN WORLDWIDE LOGISTICS does not accept legal 
responsibility for the contents of this message. This e-mail is intended 
only for the use of the individual or entity named above and may contain 
information that is confidential and privileged. If you are not the 
intended recipient, you are hereby notified that any dissemination, 
distribution or copying of this e-mail is strictly prohibited. Opinions, 
conclusions and other information in this message that do not relate to 
the official business of HELLMANN WORLDWIDE LOGISTICS shall be understood 
as neither given nor endorsed by it. Viruses: HELLMANN WORLDWIDE LOGISTICS 
takes all possible steps to ensure that emails are virus free, but does 
not accept any liability or responsibility whatsoever for any claims, 
losses or damages arising as a result of any party accessing this email or 
files attached to it.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!