[Snort-users] Rule 3:13476 direction?

Jefferson, Shawn Shawn.Jefferson at ...14448...
Tue Sep 7 13:40:37 EDT 2010

Anybody from SourceFire/VRT here that can comment on this?

From: Jefferson, Shawn [mailto:Shawn.Jefferson at ...14448...]
Sent: Wednesday, September 01, 2010 2:30 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Rule 3:13476 direction?


I'm looking at a few alerts from the so_rule 3:13476, but it looks like the direction is wrong...

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC Microsoft IIS HTMLEncode Unicode string buffer overflow"; sid:13476; gid:3; rev:2; classtype:web-application-attack; reference:cve,2008-0075; reference:url,www.microsoft.com/technet/security/bulletin/ms08-006.mspx; metadata: engine shared, soid 3|13476;)

>From what I can gather, this is vulnerability in IIS, but the direction of the rule above is HOME_NET to EXTERNAL_NET and the alerts that I am seeing are from a client in my network to servers on the Internet.  Since I can't see into the rule, I don't really know exactly what is going on with it, but this looks to me like a rule I could disable?

(and this does not look like an attack from inside my network either...)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100907/dae8bcb4/attachment.html>

More information about the Snort-users mailing list