Snort mailing list archives
Re: Rule 17494
From: JJC <cummingsj () gmail com>
Date: Fri, 1 Oct 2010 14:23:08 -0600
As a matter of clarity... there are a number of distinct differences between a GID:3 stub rule and a GID:1 regular rule. Note the following GID:3 stub: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Microsoft IP Options denial of service"; sid:10127; gid:3; rev:1; classtype:attempted-dos; reference:url,www.microsoft.com/technet/security/bulletin/ms06-032.mspx; reference:cve,2006-2379; metadata: engine shared, soid 3|10127;) You will see that it contains only a msg:""; value and no content or other testing keyword values. Also note that it contains a gid:x; keyword and a value soid within the metadata section. One common keyword that you may see would be flowbits:...; Using these items it should be fairly easy to identify a GID:3 vs a GID:1 based rule. JJC On Fri, Oct 1, 2010 at 2:14 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 10/1/2010 15:08, Jefferson, Shawn wrote:Anyone else notice this rule, 17494 triggering a lot today? Or is itjust me…it’s an old vulnerability from 2006. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENTMicrosoftInternet Explorer Long URL Buffer Overflow attempt";flow:established,to_server;urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http; reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;)please remember to include the GID (and revision)... AFAICT, this is either a GID:3 (SO rule) or it is one of the new ones not yet available to "registered" users... thank you ;) ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule 17494 Jefferson, Shawn (Oct 01)
- Re: Rule 17494 Tomas Heredia (Oct 01)
- Re: Rule 17494 Joel Esler (Oct 01)
- Re: Rule 17494 Jeff Kell (Oct 01)
- Re: Rule 17494 waldo kitty (Oct 01)
- Re: Rule 17494 Jefferson, Shawn (Oct 01)
- Re: Rule 17494 JJC (Oct 01)
- Re: Rule 17494 waldo kitty (Oct 01)
- Re: Rule 17494 JJC (Oct 01)
- Re: Rule 17494 Tomas Heredia (Oct 01)
- Re: Rule 17494 infosec posts (Oct 01)
- Re: Rule 17494 Joel Esler (Oct 01)