Home page logo
/

snort logo Snort mailing list archives

Re: Rule 17494
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 1 Oct 2010 23:59:15 -0400

What was the state of the rule by default?  We don't include in any of our base policies, (balanced, connectivity, or 
security) for good reason, but was the rule enabled by default?

We apologize for the fact that rule caused so many alerts, and as I have said, it has been corrected. 

Joel

--
Sent from my iPad

On Oct 1, 2010, at 10:00 PM, infosec posts <infosec.posts () gmail com> wrote:

Frankly, I'm surprised I haven't seen more complaints about this rule.
I only had it active for about a 3 hour window when I actually had
users on the network, and had over 1.2 million alerts out of it before
I got it shut down.  While I believe it's good to load test your
systems, I prefer not to do it on critical production systems and
spend hours trying to shut off the DoS that I got from this signature.
I've learned my lesson, though; I can't trust automatic deployment of
the VRT subscriber rules any more.

There's a thread earlier this week when I inquired about it, and
Sourcefire said they had a request to write some sigs for really old
exploits that are probably irrelevant for the majority of their
subscribers.  Unfortunately, they apparently skipped the QC on this
one.


On Fri, Oct 1, 2010 at 2:08 PM, Jefferson, Shawn
<Shawn.Jefferson () bcferries com> wrote:
Anyone else notice this rule, 17494 triggering a lot today?  Or is it just
me… it’s an old vulnerability from 2006.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT
Microsoft Internet Explorer Long URL Buffer Overflow attempt";
flow:established,to_server; urilen:>260; content:"GET"; http_method;
content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http;
reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user;
sid:17494; rev:1;)

--
Shawn Jefferson, IT Security, GCIH, GCFA
British Columbia Ferry Services Inc.
Tel: (250) 978-1508
Fax: (250) 405-3533
Shawn.Jefferson () bcferries com | www.bcferries.com



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]