[Snort-sigs] rule exclusion by content

Thomas Bounds thomas.bounds at lonza.com
Thu Jul 13 12:31:29 EDT 2017

Please remove me from this list

From: Snort-sigs [mailto:snort-sigs-bounces at lists.snort.org] On Behalf Of lravelo at us.hellmann.net
Sent: Thursday, July 13, 2017 12:06 PM
To: lists at packetmail.net
Cc: snort-sigs at lists.snort.org
Subject: Re: [Snort-sigs] rule exclusion by content

We don't use TMG at all.  If the vulnerability is only related to that then it's probably a better idea to disable the sid altogether.  Thanks for the help.


Lazaro Ravelo
ISS Systems Engineer II

Hellmann Worldwide Logistics Inc.
10450 Doral Blvd
Doral, FL  33178
Phone:  +1 305 406 4500
Fax:  +1 305 418 4992
Direct:  +1 305 406 4574
Mobile:  +1 305 927 1386
Email:  Lazaro.Ravelo at us.hellmann.net<mailto:Lazaro.Ravelo at us.hellmann.net>
Web:  www.hellmann.com<http://www.hellmann.net/>
[cid:image001.jpg at 01D2FBD3.F3557160]

From:        lists at packetmail.net<mailto:lists at packetmail.net>
To:        lravelo at us.hellmann.net<mailto:lravelo at us.hellmann.net>, snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>
Date:        07/13/2017 12:02 PM
Subject:        Re: [Snort-sigs] rule exclusion by content

On 07/13/17 10:52, lravelo at us.hellmann.net<mailto:lravelo at us.hellmann.net> wrote:
> alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS TMG Firewall
> Client long host entry exploit attempt"; sid:19187; gid:3; rev:7;
> classtype:attempted-user; reference:cve,2011-1889;
> reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-040; metadata:
> engine shared, soid 3|19187, policy max-detect-ips drop;)
> we use OpenDNS in our environment and it seems like every single alert contains
> "opendns" somewhere in the content.  I'm sure there's a way to adjust or create
> another rule which negates the alert if the payload contains the word "opendns"
> but I've not seen any examples of this online.  Any help is appreciated :-)

As yes, the infamous SO rules :)  IMHO, any reason to run this as it's a 2011
vuln?  meows://technet.microsoft.com/en-us/library/security/ms11-040.aspx

Seems it EOL'd in 2012 --

Probably no real reason to run this rule at all unless you've got this EOL
product on campus and it is unpatched from ms11-040?


07/13/2017----12:02:18 PM

>Disclaimer: Please note that Internet communications are not secure and therefore HELLMANN WORLDWIDE LOGISTICS does not accept legal responsibility for the contents of this message. This e-mail is intended only for the use of the individual or entity named above and may contain information that is confidential and privileged. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. Opinions, conclusions and other information in this message that do not relate to the official business of HELLMANN WORLDWIDE LOGISTICS shall be understood as neither given nor endorsed by it. Viruses: HELLMANN WORLDWIDE LOGISTICS takes all possible steps to ensure that emails are virus free, but does not accept any liability or responsibility whatsoever for any claims, losses or damages arising as a result of any party accessing this email or files attached to it.

This communication and its attachments, if any, may contain confidential and privileged information the use of which by other persons or entities than the intended recipient is prohibited. If you receive this transmission in error, please contact the sender immediately and delete the material from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170713/7c024574/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2291 bytes
Desc: image001.jpg
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170713/7c024574/attachment.jpg>

More information about the Snort-sigs mailing list