[Snort-users] Rule 17494

JJC cummingsj at ...11827...
Fri Oct 1 16:23:08 EDT 2010


As a matter of clarity... there are a number of distinct differences between
a GID:3 stub rule and a GID:1 regular rule.

Note the following GID:3 stub:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Microsoft IP Options
denial of service"; sid:10127; gid:3; rev:1; classtype:attempted-dos;
reference:url,www.microsoft.com/technet/security/bulletin/ms06-032.mspx;
reference:cve,2006-2379; metadata: engine shared, soid 3|10127;)

You will see that it contains only a msg:""; value and no content or other
testing keyword values.  Also note that it contains a gid:x; keyword and a
value soid within the metadata section.

One common keyword that you may see would be flowbits:...;

Using these items it should be fairly easy to identify a GID:3 vs a GID:1
based rule.

JJC

On Fri, Oct 1, 2010 at 2:14 PM, waldo kitty <wkitty42 at ...14940...> wrote:

> On 10/1/2010 15:08, Jefferson, Shawn wrote:
> > Anyone else notice this rule, 17494 triggering a lot today?  Or is it
> just me…
> > it’s an old vulnerability from 2006.
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT
> Microsoft
> > Internet Explorer Long URL Buffer Overflow attempt";
> flow:established,to_server;
> > urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D 0A|";
> > metadata:service http; reference:bugtraq,19667; reference:cve,2006-3869;
> > classtype:attempted-user; sid:17494; rev:1;)
>
>
> please remember to include the GID (and revision)... AFAICT, this is either
> a
> GID:3 (SO rule) or it is one of the new ones not yet available to
> "registered"
> users...
>
> thank you ;)
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101001/9d44f1a7/attachment.html>


More information about the Snort-users mailing list