[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: Re: [Bleeding-sigs] New Signature Submission: Sun Ray 1 Thin Client
From: Eric Hines <eric.hines () appliedwatch ! com>
Date: 2006-07-14 16:27:28
Message-ID: 44B7C5F0.3090606 () appliedwatch ! com
[Download RAW message or body]
Yep that was it, nice eye Bamm..
So no new Sun Ray rule? Ah, thanks for poohing on my parade :)
Suppose I'll have to give my first bleeding-edge rule another try :)
Best Regards,
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Email: eric.hines@appliedwatch.com
Address: 1095 Pingree Road
Suite 213
Crystal Lake, IL
60014
Tel: (877) 262-7593 ext:327
Local: (847) 854-5831
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
--------------------------------------------------
Security Management for the Open Source Enterprise
Bamm Visscher wrote:
> By chance is your HOME_NET set to 'any"?
>
> Bammkkkk
>
>
> On 7/14/06, Eric Hines <eric.hines@appliedwatch.com> wrote:
> > Yep.. its matching on it every time. Look at the SRC IP...
> >
> > alert ip
> > [0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,49.0.0.0/8] \
> >
> > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space
> > Traffic - Bogon Nets 1"; classtype:bad-unknown;
> > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type
> > limit, track by_src, count 1, seconds 360; sid:2002749; rev:2;)
> >
> >
> >
> > Best Regards,
> >
> > Eric S. Hines, GCIA, CISSP
> > CEO, President, Chairman
> > Applied Watch Technologies, LLC
> >
> >
> > --------------------------------------------------
> >
> > Eric S. Hines, GCIA, CISSP
> > CEO, President, Chairman
> > Applied Watch Technologies, LLC
> >
> > --------------------------------------------------
> >
> > Email: eric.hines@appliedwatch.com
> > Address: 1095 Pingree Road
> > Suite 213
> > Crystal Lake, IL
> > 60014
> > Tel: (877) 262-7593 ext:327
> > Local: (847) 854-5831
> > Fax: (847) 854-5106
> > Web: http://www.appliedwatch.com
> >
> > --------------------------------------------------
> > Security Management for the Open Source Enterprise
> >
> >
> >
> >
> >
> > Frank Knobbe wrote:
> > > On Fri, 2006-07-14 at 11:05 -0500, Eric Hines wrote:
> > > > This occurs because when the Sun Ray 1 is booted up it sends a
> > broadcast
> > > > out originating from 0.0.0.0 to 255.255.255.255 for a DHCP Request.
> > > >
> > > > - Sun Ray sends out DHCP request (RFC 2131, RFC 1533) broadcast to
> > > > 255.255.255.255
> > > >
> > > > 0.0.0.0.bootpc > 255.255.255.255.bootp:
> > > > xid:0x5dc3dfb0
> > > > DHCP:DISCOVER
> > >
> > > Uhm... that alone is not specific to SunRay. That's a normal BOOTP/DHCP
> > > discovery that ANY host will send. I wouldn't consider this a bogon. I
> > > doubt Bleeding sigs consider broadcasts (255.255.255.255 or all 0) as a
> > > bogon. If so, that rule needs to be changed.
> > >
> > >
> > > > Class-identifier:"SUNW.NewT.SUNW"
> > > > Client-identifier:01:08:00:20:c1:0d:fb
> > >
> > > That is specific to the Sun. But... do we need to add those for every
> > > type of system that requests an IP address??? I doubt it.
> > >
> > > Cheers,
> > > Frank
> > >
> >
> >
> > _______________________________________________
> > Bleeding-sigs mailing list
> > Bleeding-sigs@bleedingsnort.com
> > http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
> >
> >
> >
> >
>
>
["eric.hines.vcf" (text/x-vcard)]
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic