[Snort-users] Rule 3:13476 direction?
Shawn.Jefferson at ...14448...
Wed Sep 1 17:29:52 EDT 2010
I'm looking at a few alerts from the so_rule 3:13476, but it looks like the direction is wrong...
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC Microsoft IIS HTMLEncode Unicode string buffer overflow"; sid:13476; gid:3; rev:2; classtype:web-application-attack; reference:cve,2008-0075; reference:url,www.microsoft.com/technet/security/bulletin/ms08-006.mspx; metadata: engine shared, soid 3|13476;)
>From what I can gather, this is vulnerability in IIS, but the direction of the rule above is HOME_NET to EXTERNAL_NET and the alerts that I am seeing are from a client in my network to servers on the Internet. Since I can't see into the rule, I don't really know exactly what is going on with it, but this looks to me like a rule I could disable?
(and this does not look like an attack from inside my network either...)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users