[Snort-sigs] New Question for SID 17294 and SID 17407
Mohd Mukrim Che Mohamad Zulkifly
mukrim.zulkifly at ...3584...
Mon Apr 11 23:31:30 EDT 2011
This is the rule for SID 17294
Rule alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DOS Microsoft Windows NAT Helper DNS query denial of service attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00|"; depth:2; offset:4; reference:bugtraq,20804; reference:cve,2006-5614; classtype:attempted-dos; sid:17294; rev:2; )
and this is the rule for SID
Rule alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Windows help file download request"; flow:to_server,established; content:".hlp"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-3357; reference:cve,2006-4138; classtype:attempted-user; sid:17407; rev:4; )
Recently, I received alerts for those two rules
SID 17294 ( DOS Microsoft Windows NAT Helper DNS query denial of service attempt) 5 times, all Impact Flag 1
SID 17407 ( WEB-CLIENT Windows help file download request ) 3 times, 1 with Impact Flag 1, others with Impact Flag 3 and 4, all blocked by RNA Recommended Rule
Because they rarely occurs, I decided to block all those as they don't seem to be significant to the network operation. Was it really necessary to block them?
More information about the Snort-sigs