Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Question for SID 17294 and SID 17407

From: Matt Olney <molney () sourcefire com>
Date: Tue, 12 Apr 2011 10:58:43 -0400
Windows help files are blocked by Outlook, and considered dangerous:
http://office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx

<http://office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx>This
may or may not be a false positive, let us know if it is, this rule is being
reviewed.

I'll have to review the DOS research, but unless you have a XP2 machines
with interent sharing, you can probably safely disable this rule:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5614

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5614>Matt

On Mon, Apr 11, 2011 at 11:31 PM, Mohd Mukrim Che Mohamad Zulkifly <
mukrim.zulkifly () bit com my> wrote:


This is the rule for SID 17294

Rule    alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DOS Microsoft
Windows NAT Helper DNS query denial of service attempt"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|00 00|"; depth:2; offset:4;
reference:bugtraq,20804; reference:cve,2006-5614; classtype:attempted-dos;
sid:17294; rev:2; )

and this is the rule for SID

Rule    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"WEB-CLIENT Windows help file download request";
flow:to_server,established; content:".hlp"; nocase; http_uri;
metadata:policy balanced-ips drop, policy security-ips drop, service http;
reference:cve,2006-3357; reference:cve,2006-4138; classtype:attempted-user;
sid:17407; rev:4; )


Recently, I received alerts for those two rules

SID 17294 ( DOS Microsoft Windows NAT Helper DNS query denial of service
attempt)                        5 times, all Impact Flag 1
SID 17407 ( WEB-CLIENT Windows help file download request )
                                           3 times, 1 with Impact Flag 1,
others with Impact Flag 3 and 4, all blocked by RNA Recommended Rule


Because they rarely occurs, I decided to block all those as they don't seem
to be significant to the network operation. Was it really necessary to block
them?

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Previous By Date Next
Previous By Thread Next

Current thread: