Snort mailing list archives
Re: New Question for SID 17294 and SID 17407
From: Matt Olney <molney () sourcefire com>
Date: Tue, 12 Apr 2011 10:58:43 -0400
Windows help files are blocked by Outlook, and considered dangerous: http://office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx <http://office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx>This may or may not be a false positive, let us know if it is, this rule is being reviewed. I'll have to review the DOS research, but unless you have a XP2 machines with interent sharing, you can probably safely disable this rule: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5614 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5614>Matt On Mon, Apr 11, 2011 at 11:31 PM, Mohd Mukrim Che Mohamad Zulkifly < mukrim.zulkifly () bit com my> wrote:
This is the rule for SID 17294 Rule alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DOS Microsoft Windows NAT Helper DNS query denial of service attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00|"; depth:2; offset:4; reference:bugtraq,20804; reference:cve,2006-5614; classtype:attempted-dos; sid:17294; rev:2; ) and this is the rule for SID Rule alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Windows help file download request"; flow:to_server,established; content:".hlp"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-3357; reference:cve,2006-4138; classtype:attempted-user; sid:17407; rev:4; ) Recently, I received alerts for those two rules SID 17294 ( DOS Microsoft Windows NAT Helper DNS query denial of service attempt) 5 times, all Impact Flag 1 SID 17407 ( WEB-CLIENT Windows help file download request ) 3 times, 1 with Impact Flag 1, others with Impact Flag 3 and 4, all blocked by RNA Recommended Rule Because they rarely occurs, I decided to block all those as they don't seem to be significant to the network operation. Was it really necessary to block them? ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- New Question for SID 17294 and SID 17407 Mohd Mukrim Che Mohamad Zulkifly (Apr 11)
- Re: New Question for SID 17294 and SID 17407 rmkml (Apr 12)
- Re: New Question for SID 17294 and SID 17407 Matt Olney (Apr 12)