New Question for SID 17294 and SID 17407

[Mohd Mukrim Che Mohamad Zulkifly <mukrim.zulkifly () bit com my>]

This is the rule for SID 17294

Rule    alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DOS Microsoft Windows NAT Helper DNS query denial of service 
attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00|"; depth:2; offset:4; reference:bugtraq,20804; 
reference:cve,2006-5614; classtype:attempted-dos; sid:17294; rev:2; )

and this is the rule for SID 

Rule    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Windows help file download request"; 
flow:to_server,established; content:".hlp"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips 
drop, service http; reference:cve,2006-3357; reference:cve,2006-4138; classtype:attempted-user; sid:17407; rev:4; )


Recently, I received alerts for those two rules

SID 17294 ( DOS Microsoft Windows NAT Helper DNS query denial of service attempt)                        5 times, all 
Impact Flag 1
SID 17407 ( WEB-CLIENT Windows help file download request )                                                            
3 times, 1 with Impact Flag 1, others with Impact Flag 3 and 4, all blocked by RNA Recommended Rule


Because they rarely occurs, I decided to block all those as they don't seem to be significant to the network operation. 
Was it really necessary to block them?
------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org