[Snort-sigs] New Question for SID 17294 and SID 17407

Matt Olney molney at ...435...
Tue Apr 12 10:58:43 EDT 2011


Windows help files are blocked by Outlook, and considered dangerous:
http://office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx

<http://office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx>This
may or may not be a false positive, let us know if it is, this rule is being
reviewed.

I'll have to review the DOS research, but unless you have a XP2 machines
with interent sharing, you can probably safely disable this rule:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5614

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5614>Matt

On Mon, Apr 11, 2011 at 11:31 PM, Mohd Mukrim Che Mohamad Zulkifly <
mukrim.zulkifly at ...3584...> wrote:

> This is the rule for SID 17294
>
> Rule    alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DOS Microsoft
> Windows NAT Helper DNS query denial of service attempt"; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|00 00|"; depth:2; offset:4;
> reference:bugtraq,20804; reference:cve,2006-5614; classtype:attempted-dos;
> sid:17294; rev:2; )
>
> and this is the rule for SID
>
> Rule    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"WEB-CLIENT Windows help file download request";
> flow:to_server,established; content:".hlp"; nocase; http_uri;
> metadata:policy balanced-ips drop, policy security-ips drop, service http;
> reference:cve,2006-3357; reference:cve,2006-4138; classtype:attempted-user;
> sid:17407; rev:4; )
>
>
> Recently, I received alerts for those two rules
>
> SID 17294 ( DOS Microsoft Windows NAT Helper DNS query denial of service
> attempt)                        5 times, all Impact Flag 1
> SID 17407 ( WEB-CLIENT Windows help file download request )
>                                            3 times, 1 with Impact Flag 1,
> others with Impact Flag 3 and 4, all blocked by RNA Recommended Rule
>
>
> Because they rarely occurs, I decided to block all those as they don't seem
> to be significant to the network operation. Was it really necessary to block
> them?
>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110412/4788ee32/attachment.html>


More information about the Snort-sigs mailing list