[Snort-users] Question about "BAD-TRAFFIC TMG Firewall Client..." so rule
C. L. Martinez
carlopmart at ...11827...
Fri Dec 14 02:27:15 EST 2012
For several days, in fact since I activated the so_rules, I am getting
many "BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt"
alerts. In my network, some workstations uses TMG Firewall Client, but
servers and some workstations not. And it is strange because this
alarm is triggered only with Unix hosts and with two Windows 2008 AD
servers (they either have the TMG client installed) and only when
doing DNS queries.. For example:
[**] [3:19187:2] BAD-TRAFFIC TMG Firewall Client long host entry
exploit attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1]
12/14-02:03:18.271097 18.104.22.168:53 -> 10.196.0.103:53
UDP TTL:52 TOS:0x0 ID:24219 IpLen:20 DgmLen:964
[Xref => http://technet.microsoft.com/en-us/security/bulletin/MS11-040][Xref
10.196.0.103 is a CentOS machine with Bind9 installed... then, why
this alert is triggered??
More information about the Snort-users