Snort mailing list archives
Re: rule exclusion by content
From: lravelo () us hellmann net
Date: Thu, 13 Jul 2017 12:06:10 -0400
We don't use TMG at all. If the vulnerability is only related to that then it's probably a better idea to disable the sid altogether. Thanks for the help. Regards, Lazaro Ravelo ISS Systems Engineer II Hellmann Worldwide Logistics Inc. 10450 Doral Blvd Doral, FL 33178 Phone: +1 305 406 4500 Fax: +1 305 418 4992 Direct: +1 305 406 4574 Mobile: +1 305 927 1386 Email: Lazaro.Ravelo () us hellmann net Web: www.hellmann.com THINKING AHEAD - MOVING FORWARD From: lists () packetmail net To: lravelo () us hellmann net, snort-sigs () lists snort org Date: 07/13/2017 12:02 PM Subject: Re: [Snort-sigs] rule exclusion by content On 07/13/17 10:52, lravelo () us hellmann net wrote:
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS TMG
Firewall
Client long host entry exploit attempt"; sid:19187; gid:3; rev:7; classtype:attempted-user; reference:cve,2011-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-040;
metadata:
engine shared, soid 3|19187, policy max-detect-ips drop;) we use OpenDNS in our environment and it seems like every single alert
contains
"opendns" somewhere in the content. I'm sure there's a way to adjust or
create
another rule which negates the alert if the payload contains the word
"opendns"
but I've not seen any examples of this online. Any help is appreciated
:-) As yes, the infamous SO rules :) IMHO, any reason to run this as it's a 2011 vuln? meows://technet.microsoft.com/en-us/library/security/ms11-040.aspx Seems it EOL'd in 2012 -- meows://tmgblog.richardhicks.com/2012/09/12/forefront-tmg-2010-end-of-life-statement/ and meows://blogs.technet.microsoft.com/hybridcloud/2012/09/12/important-changes-to-forefront-product-roadmaps/ Probably no real reason to run this rule at all unless you've got this EOL product on campus and it is unpatched from ms11-040? Cheers, Nathan 07/13/2017----12:02:18 PM
Disclaimer: Please note that Internet communications are not secure and
therefore HELLMANN WORLDWIDE LOGISTICS does not accept legal responsibility for the contents of this message. This e-mail is intended only for the use of the individual or entity named above and may contain information that is confidential and privileged. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. Opinions, conclusions and other information in this message that do not relate to the official business of HELLMANN WORLDWIDE LOGISTICS shall be understood as neither given nor endorsed by it. Viruses: HELLMANN WORLDWIDE LOGISTICS takes all possible steps to ensure that emails are virus free, but does not accept any liability or responsibility whatsoever for any claims, losses or damages arising as a result of any party accessing this email or files attached to it.
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- rule exclusion by content lravelo (Jul 13)
- Re: rule exclusion by content Al Lewis (allewi) via Snort-sigs (Jul 13)
- Re: rule exclusion by content lravelo (Jul 13)
- Re: rule exclusion by content lists (Jul 13)
- Re: rule exclusion by content lravelo (Jul 13)
- Re: rule exclusion by content Thomas Bounds (Jul 13)
- Re: rule exclusion by content lravelo (Jul 13)
- Re: rule exclusion by content wkitty42 (Jul 13)
- Re: rule exclusion by content Al Lewis (allewi) via Snort-sigs (Jul 13)