[Snort-sigs] New Question for SID 17294 and SID 17407

rmkml rmkml at ...324...
Tue Apr 12 10:52:28 EDT 2011

Hi Mod,
The best is enable packet capture for this rules and check then...
Second rule are very short (for performance reason) but allow possible FP... (like search .hlp on parameters for example) {best are block ext hlp on your web proxy...}
If I remember correly, first rule are not on recommended rules...

On Tue, 12 Apr 2011, Mohd Mukrim Che Mohamad Zulkifly wrote:

> This is the rule for SID 17294
> Rule 	alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DOS Microsoft Windows NAT Helper DNS query denial of service attempt"; flow:to_server; byte_test:1,!&,0xF8,2;
> content:"|00 00|"; depth:2; offset:4; reference:bugtraq,20804; reference:cve,2006-5614; classtype:attempted-dos; sid:17294; rev:2; )
> and this is the rule for SID
> Rule 	alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Windows help file download request"; flow:to_server,established; content:".hlp"; nocase;
> http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-3357; reference:cve,2006-4138; classtype:attempted-user; sid:17407; rev:4; )
> Recently, I received alerts for those two rules
> SID 17294 ( DOS Microsoft Windows NAT Helper DNS query denial of service attempt)                        5 times, all Impact Flag 1
> SID 17407 ( WEB-CLIENT Windows help file download request )                                                            3 times, 1 with Impact Flag 1, others with Impact Flag 3 and 4, all blocked by RNA Recommended Rule
> Because they rarely occurs, I decided to block all those as they don't seem to be significant to the network operation. Was it really necessary to block them?

More information about the Snort-sigs mailing list