![snort logo](/images/snort-logo.png)
Snort mailing list archives
Rule 3:13476 direction?
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Wed, 1 Sep 2010 15:29:52 -0600
Hi, I'm looking at a few alerts from the so_rule 3:13476, but it looks like the direction is wrong... alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC Microsoft IIS HTMLEncode Unicode string buffer overflow"; sid:13476; gid:3; rev:2; classtype:web-application-attack; reference:cve,2008-0075; reference:url,www.microsoft.com/technet/security/bulletin/ms08-006.mspx; metadata: engine shared, soid 3|13476;)
From what I can gather, this is vulnerability in IIS, but the direction of the rule above is HOME_NET to EXTERNAL_NET and the alerts that I am seeing are from a client in my network to servers on the Internet. Since I can't see into the rule, I don't really know exactly what is going on with it, but this looks to me like a rule I could disable?
(and this does not look like an attack from inside my network either...) -- Shawn
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule 3:13476 direction? Jefferson, Shawn (Sep 01)
- Re: Rule 3:13476 direction? Jefferson, Shawn (Sep 07)