[Snort-sigs] Sig thought (wpad)
jlay at ...3266...
Thu Feb 13 13:55:44 EST 2014
On 2014-02-13 11:47, Jeremy Hoel wrote:
> You see wpad from the outside IPs to your DNS servers? Is your DNS
> reachable from the outside? wpad is just something windows does by
> default to any dns that it knows about, so I mean, it's not bad in
> that sense. I guess it would depend on the config of your DNS that
> you are talking about.
> We wrote a modify.sid to stop 2003195 from firing for wpad
> (content:!"wpad";) but other then that.. we don't look for it since
> our DNS is local hosts only.
> On Thu, Feb 13, 2014 at 11:20 AM, James Lay
> <jlay at ...3266...> wrote:
>> Should one see wpad requests from the outside world? Seems kinda
>> to me...thinking about sigging that up..thoughts?
Truth be told I'm assisting a buddy of mine...and on that DMZ I see a
TON of wpad request to a web server from the Net...which I thought was
unusual to say the least. I'll take a peek at that rule..thanks Jeremy.
More information about the Snort-sigs