[Snort-sigs] rule exclusion by content

lists at packetmail.net lists at packetmail.net
Thu Jul 13 12:02:18 EDT 2017


On 07/13/17 10:52, lravelo at us.hellmann.net wrote:
> 
> alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS TMG Firewall
> Client long host entry exploit attempt"; sid:19187; gid:3; rev:7;
> classtype:attempted-user; reference:cve,2011-1889;
> reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-040; metadata:
> engine shared, soid 3|19187, policy max-detect-ips drop;)
> 
> we use OpenDNS in our environment and it seems like every single alert contains
> "opendns" somewhere in the content.  I'm sure there's a way to adjust or create
> another rule which negates the alert if the payload contains the word "opendns"
> but I've not seen any examples of this online.  Any help is appreciated :-)

As yes, the infamous SO rules :)  IMHO, any reason to run this as it's a 2011
vuln?  meows://technet.microsoft.com/en-us/library/security/ms11-040.aspx

Seems it EOL'd in 2012 --
meows://tmgblog.richardhicks.com/2012/09/12/forefront-tmg-2010-end-of-life-statement/
and
meows://blogs.technet.microsoft.com/hybridcloud/2012/09/12/important-changes-to-forefront-product-roadmaps/

Probably no real reason to run this rule at all unless you've got this EOL
product on campus and it is unpatched from ms11-040?

Cheers,
Nathan




More information about the Snort-sigs mailing list