[Snort-users] Question about "BAD-TRAFFIC TMG Firewall Client..." so rule

Joel Esler jesler at ...1935...
Fri Dec 14 10:17:27 EST 2012

On Fri, Dec 14, 2012 at 07:27:15AM +0000, C. L. Martinez wrote:
> Hi all,
> For several days, in fact since I activated the so_rules, I am getting
> many "BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt"
> alerts. In my network, some workstations uses TMG Firewall Client, but
> servers and some workstations not. And it is strange because this
> alarm is triggered only with Unix hosts and with two Windows 2008 AD
> servers (they either have the TMG client installed) and only when
> doing DNS queries.. For example:
> [**] [3:19187:2] BAD-TRAFFIC TMG Firewall Client long host entry
> exploit attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1]
> 12/14-02:03:18.271097 ->
> UDP TTL:52 TOS:0x0 ID:24219 IpLen:20 DgmLen:964
> Len: 936
> [Xref => http://technet.microsoft.com/en-us/security/bulletin/MS11-040][Xref
> => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1889]
> is a CentOS machine with Bind9 installed... then, why
> this alert is triggered??

I'll have the person who wrote this rule get back to you on this.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

More information about the Snort-users mailing list