[Snort-users] Rule 17494

infosec posts infosec.posts at ...11827...
Fri Oct 1 22:00:43 EDT 2010


Frankly, I'm surprised I haven't seen more complaints about this rule.
 I only had it active for about a 3 hour window when I actually had
users on the network, and had over 1.2 million alerts out of it before
I got it shut down.  While I believe it's good to load test your
systems, I prefer not to do it on critical production systems and
spend hours trying to shut off the DoS that I got from this signature.
 I've learned my lesson, though; I can't trust automatic deployment of
the VRT subscriber rules any more.

There's a thread earlier this week when I inquired about it, and
Sourcefire said they had a request to write some sigs for really old
exploits that are probably irrelevant for the majority of their
subscribers.  Unfortunately, they apparently skipped the QC on this
one.


On Fri, Oct 1, 2010 at 2:08 PM, Jefferson, Shawn
<Shawn.Jefferson at ...14448...> wrote:
> Anyone else notice this rule, 17494 triggering a lot today?  Or is it just
> me… it’s an old vulnerability from 2006.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT
> Microsoft Internet Explorer Long URL Buffer Overflow attempt";
> flow:established,to_server; urilen:>260; content:"GET"; http_method;
> content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http;
> reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user;
> sid:17494; rev:1;)
>
> --
> Shawn Jefferson, IT Security, GCIH, GCFA
> British Columbia Ferry Services Inc.
> Tel: (250) 978-1508
> Fax: (250) 405-3533
> Shawn.Jefferson at ...14448... | www.bcferries.com
>
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list