[Snort-sigs] New Question for SID 17294 and SID 17407

Mohd Mukrim Che Mohamad Zulkifly mukrim.zulkifly at ...3584...
Mon Apr 11 23:31:30 EDT 2011


This is the rule for SID 17294

Rule 	alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DOS Microsoft Windows NAT Helper DNS query denial of service attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00|"; depth:2; offset:4; reference:bugtraq,20804; reference:cve,2006-5614; classtype:attempted-dos; sid:17294; rev:2; )

and this is the rule for SID 

Rule 	alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Windows help file download request"; flow:to_server,established; content:".hlp"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-3357; reference:cve,2006-4138; classtype:attempted-user; sid:17407; rev:4; )


Recently, I received alerts for those two rules

SID 17294 ( DOS Microsoft Windows NAT Helper DNS query denial of service attempt)                        5 times, all Impact Flag 1
SID 17407 ( WEB-CLIENT Windows help file download request )                                                            3 times, 1 with Impact Flag 1, others with Impact Flag 3 and 4, all blocked by RNA Recommended Rule


Because they rarely occurs, I decided to block all those as they don't seem to be significant to the network operation. Was it really necessary to block them?



More information about the Snort-sigs mailing list