Unusually High Client DNS Query Volume -- lots of : msg#00167 security.ids.snort.bleedingsnort

alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE POLICY
Unusually High Client DNS Query Volume -- Possible Spambot"; threshold:
type both, count 60, s
econds 20, track by_src; classtype:misc-activity; sid:2003330; rev:1;)

I am seeing lots of hits against this rule from machines that
legitimately do lots of DNS lookups. EG print spoolers and other
infrastructure. Comments say that these rules are experimental so I
would suggest that to get rid of FPs in our environment you would need
to raise the threshold substantially, this may however mean that it
would perform its intended
function.

Russell

<Prev in Thread]	Current Thread	[Next in Thread>

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: Stormy P2P bot Sigs -- may be SKYPE ?: 00167, Russell Fulton
Next by Date:	RE: P0F in Snort?: 00167, Michael Scheidell
Previous by Thread:	DNS Query sigsi: 00167, Matt Jonkman
Next by Thread:	Re: Unusually High Client DNS Query Volume -- lots of hits.: 00167, Chris Byrd
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: Stormy P2P bot Sigs -- may be SKYPE ?: 00167, Russell Fulton

Next by Date:

RE: P0F in Snort?: 00167, Michael Scheidell

Previous by Thread:

DNS Query sigsi: 00167, Matt Jonkman

Next by Thread:

Re: Unusually High Client DNS Query Volume -- lots of hits.: 00167, Chris Byrd

Indexes:

[Date] [Thread] [Top] [All Lists]

Unusually High Client DNS Query Volume -- lots of hits.: msg#00167

security.ids.snort.bleedingsnort