[Snort-users] Why would my server trigger rule Sid 17487

Al Lewis (allewi) allewi at ...589...
Tue Feb 10 05:16:17 EST 2015


It would be really helpful to have a pcap to determine if the rule is a false positive or not. 

The rule was written for an issue with IE 6 on Windows XP according to the documentation. XP has long been dead and the current IE version is 11.

Maybe you have users trying to connect with old machines/outdated browsers? 


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 

-----Original Message-----
From: Kelly D. Leavitt [mailto:kelly at ...17088...] 
Sent: Monday, February 09, 2015 4:29 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Why would my server trigger rule Sid 17487

No. 
Since I don't use snort nor pcap for ips it would take some time to gather this information.

A customer is reporting this rule trigger.

We have quite a few customers in our training every day for several years and this is the first we've heard of this issue.

-----Original Message-----
From: Al Lewis (allewi) [mailto:allewi at ...589...] 
Sent: Monday, February 09, 2015 4:27 PM
To: Kelly D. Leavitt; snort-users at lists.sourceforge.net
Subject: RE: Why would my server trigger rule Sid 17487

Hello,

	Would you happen to have some sample traffic in pcap format for review?

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 


-----Original Message-----
From: Kelly D. Leavitt [mailto:kelly at ...17088...] 
Sent: Monday, February 09, 2015 4:16 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Why would my server trigger rule Sid 17487

We have a customer complaining that our online training is triggering packet loss due to https://www.snort.org/rule_docs/17487

What could be triggering this alert?

Thanks,
Kelly Leavitt
Computer Specialist
Lion Technology Inc.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list