Snort mailing list archives
Re: New Question for SID 17294 and SID 17407
From: rmkml <rmkml () free fr>
Date: Tue, 12 Apr 2011 16:52:28 +0200 (CEST)
Hi Mod, The best is enable packet capture for this rules and check then... Second rule are very short (for performance reason) but allow possible FP... (like search .hlp on parameters for example) {best are block ext hlp on your web proxy...} If I remember correly, first rule are not on recommended rules... Regards Rmkml On Tue, 12 Apr 2011, Mohd Mukrim Che Mohamad Zulkifly wrote:
This is the rule for SID 17294 Rule alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DOS Microsoft Windows NAT Helper DNS query denial of service attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00|"; depth:2; offset:4; reference:bugtraq,20804; reference:cve,2006-5614; classtype:attempted-dos; sid:17294; rev:2; ) and this is the rule for SID Rule alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Windows help file download request"; flow:to_server,established; content:".hlp"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-3357; reference:cve,2006-4138; classtype:attempted-user; sid:17407; rev:4; ) Recently, I received alerts for those two rules SID 17294 ( DOS Microsoft Windows NAT Helper DNS query denial of service attempt) 5 times, all Impact Flag 1 SID 17407 ( WEB-CLIENT Windows help file download request ) 3 times, 1 with Impact Flag 1, others with Impact Flag 3 and 4, all blocked by RNA Recommended Rule Because they rarely occurs, I decided to block all those as they don't seem to be significant to the network operation. Was it really necessary to block them?
------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- New Question for SID 17294 and SID 17407 Mohd Mukrim Che Mohamad Zulkifly (Apr 11)
- Re: New Question for SID 17294 and SID 17407 rmkml (Apr 12)
- Re: New Question for SID 17294 and SID 17407 Matt Olney (Apr 12)