Re: TMG Firewall Client long host entry exploit attempt

[Carlos G Mendioroz <tron () acm org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks Joel, as I said, that one is like sweeping under the carpet,
right ?

Snort is surprisingly quiet too. Other than this, it seems all the bad
guys went on vacation...

On this one, it seems that the rule is triggering on answers to a ROOT
dns query. That one also makes me wonder why is bind asking for that.

- -Carlos

Joel Esler (jesler) @ 02/03/2014 17:59 -0300 dixit:
> The easiest way to deal with this one is, if you aren't running the
> tmg firewall client, shut the rule off.
>
> -- Joel Esler Sent from my iPhone
>
> > On Mar 2, 2014, at 6:51, "Carlos G Mendioroz" <tron () acm org>
> > wrote:
> Hi, I've recently installed snort on a home border server. (again,
> this is a complete re-install of my place infrastructure :)
>
> I keep snort running, not frequently updated, just to have some
> sense of activity. Upload alerts to dshield too.
>
> This time, snort remained way too silent. But 3:19187:2 is firing
> with many of my server's DNS queries. (bind9 forwarder)
>
> I've search for clues but this seems to be an so rule and I don't
> know how to troubleshoot this. I guess I can disable the rule, but
> that's just going to hide the issue. I do have a capture of one
> incident triggering the rule, not that it is difficult to reproduce
> (
>
> Help ? TIA,
> > ------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
> > Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow
> > Analyzer Customize your own dashboards, set traffic alerts and
> > generate reports. Network behavioral analysis & security
> > monitoring. All-in-one tool. 
> > http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
> > Snort-users mailing list Snort-users () lists sourceforge net Go to
> > this URL to change user options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > Snort-users list archive: 
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!

- -- 
Carlos G Mendioroz  <tron () acm org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMTnSYACgkQ7qM4U9dTH39m3wCfYoSwD8Dob6S0ESdi6kzeRm18
szEAniV+wt9SBvZgYh6eajW1nya6uE4P
=jiVe
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!