Home page logo
/

snort logo Snort mailing list archives

Re: historical rule information?
From: Patrick Mullen <pmullen () sourcefire com>
Date: Thu, 18 Apr 2013 12:57:50 -0400

Michael,

Thank you for your query.  That rule is known to have issues with
false positives so it is not enabled in any default policies, which
means it is disabled by default.  The proper replacement for this
alert is from a preprocessor, which has more contextual information
surrounding the event that is possible within the rule --

129:15:1 Reset outside window

(That is sid 15 of preprocessor 129, Stream5).

Regarding your statement "There are two ISA servers on that network,
and they've been patched according to the KB article referenced in the
rule detail, but the alerts are still being generated," the rule has
no way of knowing that your servers are patched.  This is part of
tuning your IDS policy -- if you know your servers are not susceptible
to this three year old attack, disable the rule to improve performance
and reduce unnecessary alerts.


Thanks,

~Patrick

On Thu, Apr 18, 2013 at 11:55 AM, Miller - CDLE, Michael
<michael.miller () state co us> wrote:
I'm hunting down a rule that's generating a LOT of traffic on our network
and was wondering if there were a wiki or history of rules to see what the
thinking was behind them. Specifically, I'm alerting on

[3:15474:5] BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management
Gateway invalid RST denial of service attempt [Classification: Attempted
Denial of Service]

There are two ISA servers on that network, and they've been patched
according to the KB article referenced in the rule detail
(http://technet.microsoft.com/en-us/security/bulletin/MS09-016), but the
alerts are still being generated.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]