Re: TMG Firewall Client long host entry exploit attempt

["Joel Esler (jesler)" <jesler () cisco com>]

The easiest way to deal with this one is, if you aren't running the tmg firewall client, shut the rule off. 

--
Joel Esler
Sent from my iPhone

> On Mar 2, 2014, at 6:51, "Carlos G Mendioroz" <tron () acm org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
> I've recently installed snort on a home border server.
> (again, this is a complete re-install of my place infrastructure :)
>
> I keep snort running, not frequently updated, just to have some sense
> of activity. Upload alerts to dshield too.
>
> This time, snort remained way too silent. But 3:19187:2 is firing with
> many of my server's DNS queries. (bind9 forwarder)
>
> I've search for clues but this seems to be an so rule and I don't know
> how to troubleshoot this. I guess I can disable the rule, but that's
> just going to hide the issue. I do have a capture of one incident
> triggering the rule, not that it is difficult to reproduce (
>
> Help ?
> TIA,
> - -- 
> Carlos G Mendioroz  <tron () acm org>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.19 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlMTFNUACgkQ7qM4U9dTH3+eQwCdFI75k+fC5iFNGJgZbxF1c8Av
> aqcAn2xLfrd8bxdbBVvo3zZLMvOviZ+t
> =mYmm
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> Flow-based real-time traffic analytics software. Cisco certified tool.
> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
> Customize your own dashboards, set traffic alerts and generate reports.
> Network behavioral analysis & security monitoring. All-in-one tool.
> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!