Hi Joseph
Could you post the whole rule. I suspect that their might be a flowbit evolved here.
Regards,
Lysemose
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt"; sid:19187; gid:3; rev:2; classtype:attempted-user; reference:cve,2011-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-040; metadata: engine shared, soid 3|19187;)Interesting though. That rule (which I got from the "View Rule" button on the web interface) has a different gid. The web interface itself has Generator ID of 1. The rule above has 3. ?
--
Thanks!
Exactly that's the problem, try disabling or suppressing the rule with 3:19187...
Regards,
Lysemose