Snort mailing list archives
Re: Question about "BAD-TRAFFIC TMG Firewall Client..." so rule
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 14 Dec 2012 10:17:27 -0500
On Fri, Dec 14, 2012 at 07:27:15AM +0000, C. L. Martinez wrote:
Hi all, For several days, in fact since I activated the so_rules, I am getting many "BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt" alerts. In my network, some workstations uses TMG Firewall Client, but servers and some workstations not. And it is strange because this alarm is triggered only with Unix hosts and with two Windows 2008 AD servers (they either have the TMG client installed) and only when doing DNS queries.. For example: [**] [3:19187:2] BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] 12/14-02:03:18.271097 149.20.64.4:53 -> 10.196.0.103:53 UDP TTL:52 TOS:0x0 ID:24219 IpLen:20 DgmLen:964 Len: 936 [Xref => http://technet.microsoft.com/en-us/security/bulletin/MS11-040][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1889] 10.196.0.103 is a CentOS machine with Bind9 installed... then, why this alert is triggered??
I'll have the person who wrote this rule get back to you on this. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Question about "BAD-TRAFFIC TMG Firewall Client..." so rule C. L. Martinez (Dec 13)
- Re: Question about "BAD-TRAFFIC TMG Firewall Client..." so rule Joel Esler (Dec 14)