[Snort-sigs] SID 15474 - MS ISA Server and Forefront Threat Management Gateway DoS

Nigel Houghton nhoughton at ...435...
Wed Jan 13 14:01:07 EST 2010


On Wed, Jan 13, 2010 at 12:56 PM, Guise McAllaster
<guise.mcallaster at ...2420...> wrote:
> Hello.  Thanks you for response.   Turns out that I do not have MS ISA.  But
> now I am curious.  Alert is happening on a very small packet.  Why?  Not
> sure if it encrypted data.  Can I get a copy of source code for this?
>
> Thanks.
>
> Guise
>
> On Wed, Jan 13, 2010 at 5:23 PM, JJ Cummings <cummingsj at ...2420...> wrote:
>>
>> First thing that I would do is look at the source and destination of the
>> proposed "attack" and determine if the traffic that it is sending is
>> legitimate, then if you cannot confirm that this traffic should exist in the
>> form that it is in.. continue down the line that you are..
>>
>> is the target (destination) an an MS ISA Server and Forefront Threat
>> Management Gateway? etc...
>>
>> On Wed, Jan 13, 2010 at 10:14 AM, Guise McAllaster
>> <guise.mcallaster at ...2420...> wrote:
>>>
>>> Hello.  I am experiencing massive rule alerting for SID 15474 - MS ISA
>>> Server and Forefront Threat Management Gateway DoS.  I want to know if it is
>>> all false positive or not but apparently rule is GID 3.  What to do?  I am
>>> trying to find this rule in the source code but do not.  Where is it?  I
>>> thought snort was open source?  Can someone make me aware of the location
>>> where I can receive the code for this?
>>>
>>> Thank you in advance.
>>>
>>> Guise
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Verizon Developer Community
>>> Take advantage of Verizon's best-in-class app development support
>>> A streamlined, 14 day to market process makes app distribution fast and
>>> easy
>>> Join now and get one step closer to millions of Verizon customers
>>> http://p.sf.net/sfu/verizon-dev2dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>

If you have pcap data for the event, can you send it to research @ so
we can look at it and see if it is a false positive or not?

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-sigs mailing list