[Snort-users] Question about "BAD-TRAFFIC TMG Firewall Client..." so rule

Joel Esler jesler at ...1935...
Fri Dec 14 10:17:27 EST 2012


On Fri, Dec 14, 2012 at 07:27:15AM +0000, C. L. Martinez wrote:
> Hi all,
> 
> For several days, in fact since I activated the so_rules, I am getting
> many "BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt"
> alerts. In my network, some workstations uses TMG Firewall Client, but
> servers and some workstations not. And it is strange because this
> alarm is triggered only with Unix hosts and with two Windows 2008 AD
> servers (they either have the TMG client installed) and only when
> doing DNS queries.. For example:
> 
> [**] [3:19187:2] BAD-TRAFFIC TMG Firewall Client long host entry
> exploit attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1]
> 12/14-02:03:18.271097 149.20.64.4:53 -> 10.196.0.103:53
> UDP TTL:52 TOS:0x0 ID:24219 IpLen:20 DgmLen:964
> Len: 936
> [Xref => http://technet.microsoft.com/en-us/security/bulletin/MS11-040][Xref
> => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1889]
> 
> 10.196.0.103 is a CentOS machine with Bind9 installed... then, why
> this alert is triggered??


I'll have the person who wrote this rule get back to you on this.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire




More information about the Snort-users mailing list