Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Question about "BAD-TRAFFIC TMG Firewall Client..." so rule

From: "C. L. Martinez" <carlopmart () gmail com>
Date: Fri, 14 Dec 2012 07:27:15 +0000
Hi all,

For several days, in fact since I activated the so_rules, I am getting
many "BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt"
alerts. In my network, some workstations uses TMG Firewall Client, but
servers and some workstations not. And it is strange because this
alarm is triggered only with Unix hosts and with two Windows 2008 AD
servers (they either have the TMG client installed) and only when
doing DNS queries.. For example:

[**] [3:19187:2] BAD-TRAFFIC TMG Firewall Client long host entry
exploit attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1]
12/14-02:03:18.271097 149.20.64.4:53 -> 10.196.0.103:53
UDP TTL:52 TOS:0x0 ID:24219 IpLen:20 DgmLen:964
Len: 936
[Xref => http://technet.microsoft.com/en-us/security/bulletin/MS11-040][Xref
=> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1889]

10.196.0.103 is a CentOS machine with Bind9 installed... then, why
this alert is triggered??

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: