Re: historical rule information?

["Miller - CDLE, Michael" <michael.miller () state co us>]

Thanks Patrick, I'm beginning to think it's a false positive. The top
destinations are all Akamai in nature, and I'm beginning to think there's
something specific about the originating site that's causing the alert.
We're providing internet access to a couple dozen recipients of similar
size, and this is the only one generating that traffic.


On Thu, Apr 18, 2013 at 10:57 AM, Patrick Mullen <pmullen () sourcefire com>wrote:

> Michael,
>
> Thank you for your query.  That rule is known to have issues with
> false positives so it is not enabled in any default policies, which
> means it is disabled by default.  The proper replacement for this
> alert is from a preprocessor, which has more contextual information
> surrounding the event that is possible within the rule --
>
> 129:15:1 Reset outside window
>
> (That is sid 15 of preprocessor 129, Stream5).
>
> Regarding your statement "There are two ISA servers on that network,
> and they've been patched according to the KB article referenced in the
> rule detail, but the alerts are still being generated," the rule has
> no way of knowing that your servers are patched.  This is part of
> tuning your IDS policy -- if you know your servers are not susceptible
> to this three year old attack, disable the rule to improve performance
> and reduce unnecessary alerts.
>
>
> Thanks,
>
> ~Patrick
>
> On Thu, Apr 18, 2013 at 11:55 AM, Miller - CDLE, Michael
> <michael.miller () state co us> wrote:
> > I'm hunting down a rule that's generating a LOT of traffic on our network
> > and was wondering if there were a wiki or history of rules to see what
> the
> > thinking was behind them. Specifically, I'm alerting on
> >
> > [3:15474:5] BAD-TRAFFIC Microsoft ISA Server and Forefront Threat
> Management
> > Gateway invalid RST denial of service attempt [Classification: Attempted
> > Denial of Service]
> >
> > There are two ISA servers on that network, and they've been patched
> > according to the KB article referenced in the rule detail
> > (http://technet.microsoft.com/en-us/security/bulletin/MS09-016), but the
> > alerts are still being generated.
> ------------------------------------------------------------------------------
> > Precog is a next-generation analytics platform capable of advanced
> > analytics on semi-structured data. The platform includes APIs for
> building
> > apps and a phenomenal toolset for data science. Developers can use
> > our toolset for easy data analysis & visualization. Get a free account!
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> --
> Patrick Mullen
> Response Research Manager
> Sourcefire VRT



-- 
*Michael Miller*
*Network Security Engineer - SECOPS*
*
*
Governor's Office of Information Technology
Office of Information
Security<http://www.colorado.gov/cs/Satellite/OIT-Cyber/CBON/1249667675596>
633 17th st, Suite 800
Denver, Co 80202
Office (303)318-8317
Cell (720)308-0795

** How am I doing? **
** Please contact my manager, jonathan.trull () state co us for comments or
questions. **

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!