[Snort-sigs] rule exclusion by content

wkitty42 at windstream.net wkitty42 at windstream.net
Thu Jul 13 12:46:34 EDT 2017


On 07/13/2017 11:52 AM, lravelo at us.hellmann.net wrote:
> Good morning,
> 
> I have this rule which generates way too many alerts in squert:
> 
> alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS TMG Firewall 
> Client long host entry exploit attempt"; sid:19187; gid:3; rev:7; 
> classtype:attempted-user; reference:cve,2011-1889; 
> reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-040; metadata: 
> engine shared, soid 3|19187, policy max-detect-ips drop;)


this is a binary shared object rule... it has source code located in 
so_rules/src/protocol-dns_tmg-firewall-client-long-hostent.c...


> we use OpenDNS in our environment and it seems like every single alert contains 
> "opendns" somewhere in the content.  I'm sure there's a way to adjust or create 
> another rule which negates the alert if the payload contains the word "opendns" 
> but I've not seen any examples of this online.  Any help is appreciated :-)


it may be possible to add a negation to the above rule and recompile it but it 
would probably be best if you threshold the rule in your threshold.conf or 
completely disable it if you do not have any TMG firewall clients on your network...

i'll leave it to you to figure out how and where to comment out rule 19187 in 
your SO_RULE stubs to completely disable it... in the meantime, here are two 
threshold examples that should work for you... the first is complete suppression 
no matter what DNS servers are used... the second disables the rule only for the 
openDNS servers... if they ever change IPs, you'll have to update the 
threshold.conf to the new ones...


----->8 snip 8<-----
# Suppress "TMG Firewall Client long host entry exploit attempt"
suppress gen_id 3, sig_id 19187
----->8 snip 8<-----


OR only kill it only for the opendns servers no matter what clients you have on 
your network... this leaves the rule in play in case other DNS servers are used 
by clients on your network...


----->8 snip 8<-----
# Suppress "TMG Firewall Client long host entry exploit attempt" only for 
opendns standard servers
suppress gen_id 3, sig_id 19187, track by_src, ip 208.67.222.222
suppress gen_id 3, sig_id 19187, track by_src, ip 208.67.220.220
suppress gen_id 3, sig_id 19187, track by_src, ip 208.67.222.220
suppress gen_id 3, sig_id 19187, track by_src, ip 208.67.220.222
suppress gen_id 3, sig_id 19187, track by_src, ip 2620:0:ccc::2
suppress gen_id 3, sig_id 19187, track by_src, ip 2620:0:ccd::2

# Suppress "TMG Firewall Client long host entry exploit attempt" only for 
opendns familyshield servers
suppress gen_id 3, sig_id 19187, track by_src, ip 208.67.222.123
suppress gen_id 3, sig_id 19187, track by_src, ip 208.67.220.123
----->8 snip 8<-----



NOTE: i'm not sure if the two IPv6 suppression lines are right...

FWIW: openDNS is now owned by Cisco who also owns Talos (formerly VRT) ;)


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*



More information about the Snort-sigs mailing list