[Snort-sigs] Sig thought (wpad)

James Lay jlay at ...3266...
Thu Feb 13 13:55:44 EST 2014

On 2014-02-13 11:47, Jeremy Hoel wrote:
> You see wpad from the outside IPs to your DNS servers?  Is your DNS
> reachable from the outside?  wpad is just something windows does by
> default to any dns that it knows about, so I mean, it's not bad in
> that sense.  I guess it would depend on the config of your DNS that
> you are talking about.
> We wrote a modify.sid to stop 2003195 from firing for wpad
> (content:!"wpad";) but other then that.. we don't look for it since
> our DNS is local hosts only.
> On Thu, Feb 13, 2014 at 11:20 AM, James Lay 
> <jlay at ...3266...> wrote:
>> Should one see wpad requests from the outside world?  Seems kinda 
>> icky
>> to me...thinking about sigging that up..thoughts?
>> James

Truth be told I'm assisting a buddy of mine...and on that DMZ I see a 
TON of wpad request to a web server from the Net...which I thought was 
unusual to say the least.  I'll take a peek at that rule..thanks Jeremy.


More information about the Snort-sigs mailing list