Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule 17494

From: infosec posts <infosec.posts () gmail com>
Date: Fri, 1 Oct 2010 21:00:43 -0500
Frankly, I'm surprised I haven't seen more complaints about this rule.
 I only had it active for about a 3 hour window when I actually had
users on the network, and had over 1.2 million alerts out of it before
I got it shut down.  While I believe it's good to load test your
systems, I prefer not to do it on critical production systems and
spend hours trying to shut off the DoS that I got from this signature.
 I've learned my lesson, though; I can't trust automatic deployment of
the VRT subscriber rules any more.

There's a thread earlier this week when I inquired about it, and
Sourcefire said they had a request to write some sigs for really old
exploits that are probably irrelevant for the majority of their
subscribers.  Unfortunately, they apparently skipped the QC on this
one.


On Fri, Oct 1, 2010 at 2:08 PM, Jefferson, Shawn
<Shawn.Jefferson () bcferries com> wrote:

Anyone else notice this rule, 17494 triggering a lot today?  Or is it just
me… it’s an old vulnerability from 2006.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT
Microsoft Internet Explorer Long URL Buffer Overflow attempt";
flow:established,to_server; urilen:>260; content:"GET"; http_method;
content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http;
reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user;
sid:17494; rev:1;)

--
Shawn Jefferson, IT Security, GCIH, GCFA
British Columbia Ferry Services Inc.
Tel: (250) 978-1508
Fax: (250) 405-3533
Shawn.Jefferson () bcferries com | www.bcferries.com



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: