[Snort-users] Rule 17494

Joel Esler jesler at ...1935...
Fri Oct 1 23:59:15 EDT 2010


What was the state of the rule by default?  We don't include in any of our base policies, (balanced, connectivity, or security) for good reason, but was the rule enabled by default?

We apologize for the fact that rule caused so many alerts, and as I have said, it has been corrected. 

Joel

--
Sent from my iPad

On Oct 1, 2010, at 10:00 PM, infosec posts <infosec.posts at ...11827...> wrote:

> Frankly, I'm surprised I haven't seen more complaints about this rule.
> I only had it active for about a 3 hour window when I actually had
> users on the network, and had over 1.2 million alerts out of it before
> I got it shut down.  While I believe it's good to load test your
> systems, I prefer not to do it on critical production systems and
> spend hours trying to shut off the DoS that I got from this signature.
> I've learned my lesson, though; I can't trust automatic deployment of
> the VRT subscriber rules any more.
> 
> There's a thread earlier this week when I inquired about it, and
> Sourcefire said they had a request to write some sigs for really old
> exploits that are probably irrelevant for the majority of their
> subscribers.  Unfortunately, they apparently skipped the QC on this
> one.
> 
> 
> On Fri, Oct 1, 2010 at 2:08 PM, Jefferson, Shawn
> <Shawn.Jefferson at ...14448...> wrote:
>> Anyone else notice this rule, 17494 triggering a lot today?  Or is it just
>> me… it’s an old vulnerability from 2006.
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT
>> Microsoft Internet Explorer Long URL Buffer Overflow attempt";
>> flow:established,to_server; urilen:>260; content:"GET"; http_method;
>> content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http;
>> reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user;
>> sid:17494; rev:1;)
>> 
>> --
>> Shawn Jefferson, IT Security, GCIH, GCFA
>> British Columbia Ferry Services Inc.
>> Tel: (250) 978-1508
>> Fax: (250) 405-3533
>> Shawn.Jefferson at ...14448... | www.bcferries.com
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Start uncovering the many advantages of virtual appliances
>> and start using them to simplify application deployment and
>> accelerate your shift to cloud computing.
>> http://p.sf.net/sfu/novell-sfdev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
> 
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list