[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] historical rule information?
From: "Miller - CDLE, Michael" <michael.miller () state ! co ! us>
Date: 2013-04-18 17:25:52
Message-ID: CAE5xWhCqWcJLWVZzMvX2ULD6bX1rjgLw5sGw5k_otUSaHR21Gw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Patrick, I'm beginning to think it's a false positive. The top
destinations are all Akamai in nature, and I'm beginning to think there's
something specific about the originating site that's causing the alert.
We're providing internet access to a couple dozen recipients of similar
size, and this is the only one generating that traffic.
On Thu, Apr 18, 2013 at 10:57 AM, Patrick Mullen <pmullen@sourcefire.com>wrote:
> Michael,
>
> Thank you for your query. That rule is known to have issues with
> false positives so it is not enabled in any default policies, which
> means it is disabled by default. The proper replacement for this
> alert is from a preprocessor, which has more contextual information
> surrounding the event that is possible within the rule --
>
> 129:15:1 Reset outside window
>
> (That is sid 15 of preprocessor 129, Stream5).
>
> Regarding your statement "There are two ISA servers on that network,
> and they've been patched according to the KB article referenced in the
> rule detail, but the alerts are still being generated," the rule has
> no way of knowing that your servers are patched. This is part of
> tuning your IDS policy -- if you know your servers are not susceptible
> to this three year old attack, disable the rule to improve performance
> and reduce unnecessary alerts.
>
>
> Thanks,
>
> ~Patrick
>
> On Thu, Apr 18, 2013 at 11:55 AM, Miller - CDLE, Michael
> <michael.miller@state.co.us> wrote:
> > I'm hunting down a rule that's generating a LOT of traffic on our network
> > and was wondering if there were a wiki or history of rules to see what
> the
> > thinking was behind them. Specifically, I'm alerting on
> >
> > [3:15474:5] BAD-TRAFFIC Microsoft ISA Server and Forefront Threat
> Management
> > Gateway invalid RST denial of service attempt [Classification: Attempted
> > Denial of Service]
> >
> > There are two ISA servers on that network, and they've been patched
> > according to the KB article referenced in the rule detail
> > (http://technet.microsoft.com/en-us/security/bulletin/MS09-016), but the
> > alerts are still being generated.
> >
> >
> ------------------------------------------------------------------------------
> > Precog is a next-generation analytics platform capable of advanced
> > analytics on semi-structured data. The platform includes APIs for
> building
> > apps and a phenomenal toolset for data science. Developers can use
> > our toolset for easy data analysis & visualization. Get a free account!
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> --
> Patrick Mullen
> Response Research Manager
> Sourcefire VRT
>
--
*Michael Miller*
*Network Security Engineer - SECOPS*
*
*
Governor's Office of Information Technology
Office of Information
Security<http://www.colorado.gov/cs/Satellite/OIT-Cyber/CBON/1249667675596>
633 17th st, Suite 800
Denver, Co 80202
Office (303)318-8317
Cell (720)308-0795
** How am I doing? **
** Please contact my manager, jonathan.trull@state.co.us for comments or
questions. **
[Attachment #5 (text/html)]
<div dir="ltr">Thanks Patrick, I'm beginning to think it's a false positive. \
The top destinations are all Akamai in nature, and I'm beginning to think \
there's something specific about the originating site that's causing the \
alert. We're providing internet access to a couple dozen recipients of similar \
size, and this is the only one generating that traffic. </div> <div \
class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Apr 18, 2013 at 10:57 \
AM, Patrick Mullen <span dir="ltr"><<a href="mailto:pmullen@sourcefire.com" \
target="_blank">pmullen@sourcefire.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Michael,<br> <br>
Thank you for your query. That rule is known to have issues with<br>
false positives so it is not enabled in any default policies, which<br>
means it is disabled by default. The proper replacement for this<br>
alert is from a preprocessor, which has more contextual information<br>
surrounding the event that is possible within the rule --<br>
<br>
129:15:1 Reset outside window<br>
<br>
(That is sid 15 of preprocessor 129, Stream5).<br>
<br>
Regarding your statement "There are two ISA servers on that network,<br>
<div class="im">and they've been patched according to the KB article referenced \
in the<br> </div>rule detail, but the alerts are still being generated," the \
rule has<br> no way of knowing that your servers are patched. This is part of<br>
tuning your IDS policy -- if you know your servers are not susceptible<br>
to this three year old attack, disable the rule to improve performance<br>
and reduce unnecessary alerts.<br>
<br>
<br>
Thanks,<br>
<br>
~Patrick<br>
<div><div class="h5"><br>
On Thu, Apr 18, 2013 at 11:55 AM, Miller - CDLE, Michael<br>
<<a href="mailto:michael.miller@state.co.us">michael.miller@state.co.us</a>> \
wrote:<br> > I'm hunting down a rule that's generating a LOT of traffic on \
our network<br> > and was wondering if there were a wiki or history of rules to \
see what the<br> > thinking was behind them. Specifically, I'm alerting on<br>
><br>
> [3:15474:5] BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management<br>
> Gateway invalid RST denial of service attempt [Classification: Attempted<br>
> Denial of Service]<br>
><br>
> There are two ISA servers on that network, and they've been patched<br>
> according to the KB article referenced in the rule detail<br>
> (<a href="http://technet.microsoft.com/en-us/security/bulletin/MS09-016" \
target="_blank">http://technet.microsoft.com/en-us/security/bulletin/MS09-016</a>), \
but the<br> > alerts are still being generated.<br>
><br>
</div></div>> ------------------------------------------------------------------------------<br>
> Precog is a next-generation analytics platform capable of advanced<br>
> analytics on semi-structured data. The platform includes APIs for building<br>
> apps and a phenomenal toolset for data science. Developers can use<br>
> our toolset for easy data analysis & visualization. Get a free account!<br>
> <a href="http://www2.precog.com/precogplatform/slashdotnewsletter" \
target="_blank">http://www2.precog.com/precogplatform/slashdotnewsletter</a><br> > \
_______________________________________________<br> > Snort-sigs mailing list<br>
> <a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br> > \
<a href="http://www.snort.org" target="_blank">http://www.snort.org</a><br> ><br>
><br>
> Please visit <a href="http://blog.snort.org" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br> <span \
class="HOEnZb"><font color="#888888"><br> <br>
<br>
--<br>
Patrick Mullen<br>
Response Research Manager<br>
Sourcefire VRT<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
dir="ltr"><b>Michael Miller</b><div><i>Network Security Engineer - \
SECOPS</i></div><div><i><br></i></div><div>Governor's Office of Information \
Technology</div> <div><a \
href="http://www.colorado.gov/cs/Satellite/OIT-Cyber/CBON/1249667675596" \
target="_blank">Office of Information Security</a></div><div>633 17th st, Suite \
800</div><div>Denver, Co 80202</div><div>Office (303)318-8317</div> <div>Cell \
(720)308-0795</div><div><br></div><div><span \
style="background-color:rgb(255,255,255);color:rgb(45,45,55)"><font face="garamond, \
serif">** How am I doing? ** </font></span></div><div><span \
style="background-color:rgb(255,255,255);color:rgb(45,45,55)"><font face="garamond, \
serif">** Please contact my manager, <a href="mailto:jonathan.trull@state.co.us" \
style="color:rgb(17,85,204)" target="_blank">jonathan.trull<font \
color="#1155cc">@state.co.us</font></a> for comments or questions. \
**</font></span></div> </div>
</div>
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic