Re: TMG Firewall Client long host entry exploit attempt

["Joel Esler (jesler)" <jesler () cisco com>]

On Mar 2, 2014, at 4:05 PM, Carlos G Mendioroz <tron () acm org> wrote:

> Signed PGP part
> Thanks Joel, as I said, that one is like sweeping under the carpet,
> right ?

No, any Snort instance should be tuned to its environment.

> Snort is surprisingly quiet too. Other than this, it seems all the bad
> guys went on vacation…

Try running with “-k none” turned on.

--
Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team


> On this one, it seems that the rule is triggering on answers to a ROOT
> dns query. That one also makes me wonder why is bind asking for that.
>
> -Carlos
>
> Joel Esler (jesler) @ 02/03/2014 17:59 -0300 dixit:
> > The easiest way to deal with this one is, if you aren't running the
> > tmg firewall client, shut the rule off.
> >
> > -- Joel Esler Sent from my iPhone
> >
> > > On Mar 2, 2014, at 6:51, "Carlos G Mendioroz" <tron () acm org>
> > > wrote:
> > Hi, I've recently installed snort on a home border server. (again,
> > this is a complete re-install of my place infrastructure :)
> >
> > I keep snort running, not frequently updated, just to have some
> > sense of activity. Upload alerts to dshield too.
> >
> > This time, snort remained way too silent. But 3:19187:2 is firing
> > with many of my server's DNS queries. (bind9 forwarder)
> >
> > I've search for clues but this seems to be an so rule and I don't
> > know how to troubleshoot this. I guess I can disable the rule, but
> > that's just going to hide the issue. I do have a capture of one
> > incident triggering the rule, not that it is difficult to reproduce
> > (
> >
> > Help ? TIA,
> > > ------------------------------------------------------------------------------
> Flow-based real-time traffic analytics software. Cisco certified tool.
> > > Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow
> > > Analyzer Customize your own dashboards, set traffic alerts and
> > > generate reports. Network behavioral analysis & security
> > > monitoring. All-in-one tool.
> > > http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
> _______________________________________________
> > > Snort-users mailing list Snort-users () lists sourceforge net Go to
> > > this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> --
> Carlos G Mendioroz  <tron () acm org>

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!