|
|
DNS Query sigs: msg#00157security.ids.snort.bleedingsnort
Just committed this. PLease test it and let me know how those numbers do. The idea being to catch spambots come live and start looking up large numbers of MX records. (Hmm... maybe we can make these for just MX lookups?) Environments where they can't run the irc sigs for whatever reason, this might help find the bots. Matt #Experimenting with this idea. When a bot comes up live and starts spamming, it # does a massive number of dns queries. This may be an extra way to identify infections alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE POLICY Unusually High Client DNS Query Volume -- Possible Spambot"; threshold: type both, count 60, seconds 20, track by_src; classtype:suspicious-activity; sid:2003330; rev:1;) -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | RE: P0F in Snort?: 00157, Michael Scheidell |
|---|---|
| Next by Date: | Re: P0F in Snort?: 00157, Blake Matheny |
| Previous by Thread: | Re: [Listeningpost] Mem and CPU usagei: 00157, Matt Jonkman |
| Next by Thread: | Unusually High Client DNS Query Volume -- lots of hits.: 00157, Russell Fulton |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |