848 | 3:19187 | PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt

[cm0s...@gmail.com]

Please supply me with a link that explains how to modify this sid to make it work like I describe below.

I have a router XXX.XXX.XXX.1 and a computer XXX.XXX.XXX.55. I get an alert that is the one listed as subject. When I look in SGUIL there are over 1000. When I exam the pcaps I see 90% of them are from updates, mail, and advertisements on http, and DNS. The other 10% are possible exploit attempts. Your wiki and all other sources I've read tell me I can modify the sid according to src or dst. But in all 1000 listed the src = *.1 and the dst = *.55. All other alerts show the external IP address in either src or dst. Just this one only sees *.1 as src. Is there anything I can do to make it like the others and see the external IP addresses?? I need to modify the sid to exclude all the external IP that are not hostile.

[cm0s...@gmail.com]

On Sunday, May 28, 2017 at 6:45:47 PM UTC, cm0s...@gmail.com wrote:
> Please supply me with a link that explains how to modify this sid to make it work like I describe below.
>
> I have a router XXX.XXX.XXX.1 and a computer XXX.XXX.XXX.55. I get an alert that is the one listed as subject. When I look in SGUIL there are over 1000. When I exam the pcaps I see 90% of them are from updates, mail, and advertisements on http, and DNS. The other 10% are possible exploit attempts. Your wiki and all other sources I've read tell me I can modify the sid according to src or dst. But in all 1000 listed the src = *.1 and the dst = *.55. All other alerts show the external IP address in either src or dst. Just this one only sees *.1 as src. Is there anything I can do to make it like the others and see the external IP addresses?? I need to modify the sid to exclude all the external IP that are not hostile.

Here are my network card settings. Do you see anything that would cause all other external IP addresses to be resolved but not the one in the subject line?

auto eth1
iface eth1 inet manual
up ip link set $IFACE promisc on arp off up
down ip link set $IFACE promisc off down
post-up ethtool -G $IFACE rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

auto eth2
iface eth2 inet manual
up ip link set $IFACE promisc on arp off up
down ip link set $IFACE promisc off down
post-up ethtool -G $IFACE rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

auto eth3
iface eth3 inet manual
up ip link set $IFACE promisc on arp off up
down ip link set $IFACE promisc off down
post-up ethtool -G $IFACE rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

[cm0s...@gmail.com]

SOLVED

Incorrect network setup on XXX.XXX.XXX.55. Primary DNS was set to router address. Router was DNS server. Sorry to take up space.