[Snort-sigs] historical rule information?

Miller - CDLE, Michael michael.miller at ...1811...
Thu Apr 18 13:25:52 EDT 2013


Thanks Patrick, I'm beginning to think it's a false positive. The top
destinations are all Akamai in nature, and I'm beginning to think there's
something specific about the originating site that's causing the alert.
We're providing internet access to a couple dozen recipients of similar
size, and this is the only one generating that traffic.


On Thu, Apr 18, 2013 at 10:57 AM, Patrick Mullen <pmullen at ...435...>wrote:

> Michael,
>
> Thank you for your query.  That rule is known to have issues with
> false positives so it is not enabled in any default policies, which
> means it is disabled by default.  The proper replacement for this
> alert is from a preprocessor, which has more contextual information
> surrounding the event that is possible within the rule --
>
> 129:15:1 Reset outside window
>
> (That is sid 15 of preprocessor 129, Stream5).
>
> Regarding your statement "There are two ISA servers on that network,
> and they've been patched according to the KB article referenced in the
> rule detail, but the alerts are still being generated," the rule has
> no way of knowing that your servers are patched.  This is part of
> tuning your IDS policy -- if you know your servers are not susceptible
> to this three year old attack, disable the rule to improve performance
> and reduce unnecessary alerts.
>
>
> Thanks,
>
> ~Patrick
>
> On Thu, Apr 18, 2013 at 11:55 AM, Miller - CDLE, Michael
> <michael.miller at ...1811...> wrote:
> > I'm hunting down a rule that's generating a LOT of traffic on our network
> > and was wondering if there were a wiki or history of rules to see what
> the
> > thinking was behind them. Specifically, I'm alerting on
> >
> > [3:15474:5] BAD-TRAFFIC Microsoft ISA Server and Forefront Threat
> Management
> > Gateway invalid RST denial of service attempt [Classification: Attempted
> > Denial of Service]
> >
> > There are two ISA servers on that network, and they've been patched
> > according to the KB article referenced in the rule detail
> > (http://technet.microsoft.com/en-us/security/bulletin/MS09-016), but the
> > alerts are still being generated.
> >
> >
> ------------------------------------------------------------------------------
> > Precog is a next-generation analytics platform capable of advanced
> > analytics on semi-structured data. The platform includes APIs for
> building
> > apps and a phenomenal toolset for data science. Developers can use
> > our toolset for easy data analysis & visualization. Get a free account!
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> --
> Patrick Mullen
> Response Research Manager
> Sourcefire VRT
>



-- 
*Michael Miller*
*Network Security Engineer - SECOPS*
*
*
Governor's Office of Information Technology
Office of Information
Security<http://www.colorado.gov/cs/Satellite/OIT-Cyber/CBON/1249667675596>
633 17th st, Suite 800
Denver, Co 80202
Office (303)318-8317
Cell (720)308-0795

** How am I doing? **
** Please contact my manager, jonathan.trull at ...1811... for comments or
questions. **
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130418/1216df7d/attachment.html>


More information about the Snort-sigs mailing list