Re: rule exclusion by content

[lists () packetmail net]

On 07/13/17 10:52, lravelo () us hellmann net wrote:
> alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS TMG Firewall
> Client long host entry exploit attempt"; sid:19187; gid:3; rev:7;
> classtype:attempted-user; reference:cve,2011-1889;
> reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-040; metadata:
> engine shared, soid 3|19187, policy max-detect-ips drop;)
>
> we use OpenDNS in our environment and it seems like every single alert contains
> "opendns" somewhere in the content.  I'm sure there's a way to adjust or create
> another rule which negates the alert if the payload contains the word "opendns"
> but I've not seen any examples of this online.  Any help is appreciated :-)

As yes, the infamous SO rules :)  IMHO, any reason to run this as it's a 2011
vuln?  meows://technet.microsoft.com/en-us/library/security/ms11-040.aspx

Seems it EOL'd in 2012 --
meows://tmgblog.richardhicks.com/2012/09/12/forefront-tmg-2010-end-of-life-statement/
and
meows://blogs.technet.microsoft.com/hybridcloud/2012/09/12/important-changes-to-forefront-product-roadmaps/

Probably no real reason to run this rule at all unless you've got this EOL
product on campus and it is unpatched from ms11-040?

Cheers,
Nathan

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!