Snort mailing list archives
Re: Rule 17494
From: infosec posts <infosec.posts () gmail com>
Date: Fri, 1 Oct 2010 21:00:43 -0500
Frankly, I'm surprised I haven't seen more complaints about this rule. I only had it active for about a 3 hour window when I actually had users on the network, and had over 1.2 million alerts out of it before I got it shut down. While I believe it's good to load test your systems, I prefer not to do it on critical production systems and spend hours trying to shut off the DoS that I got from this signature. I've learned my lesson, though; I can't trust automatic deployment of the VRT subscriber rules any more. There's a thread earlier this week when I inquired about it, and Sourcefire said they had a request to write some sigs for really old exploits that are probably irrelevant for the majority of their subscribers. Unfortunately, they apparently skipped the QC on this one. On Fri, Oct 1, 2010 at 2:08 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:
Anyone else notice this rule, 17494 triggering a lot today? Or is it just me… it’s an old vulnerability from 2006. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Internet Explorer Long URL Buffer Overflow attempt"; flow:established,to_server; urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http; reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;) -- Shawn Jefferson, IT Security, GCIH, GCFA British Columbia Ferry Services Inc. Tel: (250) 978-1508 Fax: (250) 405-3533 Shawn.Jefferson () bcferries com | www.bcferries.com ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule 17494 Jefferson, Shawn (Oct 01)
- Re: Rule 17494 Tomas Heredia (Oct 01)
- Re: Rule 17494 Joel Esler (Oct 01)
- Re: Rule 17494 Jeff Kell (Oct 01)
- Re: Rule 17494 waldo kitty (Oct 01)
- Re: Rule 17494 Jefferson, Shawn (Oct 01)
- Re: Rule 17494 JJC (Oct 01)
- Re: Rule 17494 waldo kitty (Oct 01)
- Re: Rule 17494 JJC (Oct 01)
- Re: Rule 17494 Tomas Heredia (Oct 01)
- Re: Rule 17494 infosec posts (Oct 01)
- Re: Rule 17494 Joel Esler (Oct 01)