Re: Sig thought (wpad)

[James Lay <jlay () slave-tothe-box net>]

On 2014-02-13 11:47, Jeremy Hoel wrote:
> You see wpad from the outside IPs to your DNS servers?  Is your DNS
> reachable from the outside?  wpad is just something windows does by
> default to any dns that it knows about, so I mean, it's not bad in
> that sense.  I guess it would depend on the config of your DNS that
> you are talking about.
>
> We wrote a modify.sid to stop 2003195 from firing for wpad
> (content:!"wpad";) but other then that.. we don't look for it since
> our DNS is local hosts only.
>
> On Thu, Feb 13, 2014 at 11:20 AM, James Lay 
> <jlay () slave-tothe-box net> wrote:
> > Should one see wpad requests from the outside world?  Seems kinda 
> > icky
> > to me...thinking about sigging that up..thoughts?
> >
> > James

Truth be told I'm assisting a buddy of mine...and on that DMZ I see a 
TON of wpad request to a web server from the Net...which I thought was 
unusual to say the least.  I'll take a peek at that rule..thanks Jeremy.

James

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!