logo       

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

Re: Unusually High Client DNS Query Volume -- lots of hits.: msg#00169

security.ids.snort.bleedingsnort

Subject: Re: Unusually High Client DNS Query Volume -- lots of hits.

I'd like to submit the following updated rule:

alert udp !$SMTP_SERVERS any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE \
POLICY Possible Spambot -- Host DNS MX Query High Count"; \
content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|";
distance: 8; \
threshold:type both, count 30, seconds 10, track by_src; classtype:
bad-unknown; \
sid:2003330; rev:2;)

- Added content matches for DNS queries 'content: "|00 01|"; offset:2;
depth:4' and MX querytype 'content: "|00 0f 00 01|"; distance: 8'.
- Changed the source to '!$SMTP_SERVERS' to avoid triggering from
known SMTP servers (interesting behavior - see the note below).
- Reduced the threshold time as the previous changes should be enough
to weed out false positives.
- Modified the classification to 'classtype: bad-unknown' as it seemed
a bit more appropriate as "Potentially Bad Traffic" and a higher
default priority.
- Tweaked the description to 'BLEEDING-EDGE POLICY Possible Spambot --
Host DNS MX Query High Count' to suit personal preference.

Note: There's an interesting behavior to the negation '!' operator in
rule addresses. Left at default where $HOME_NET is 'any' and
$SMTP_SERVERS is '$HOME_NET', this rule effectively says 'NOT any'
which shouldn't work, but does (it appears to match any - perhaps as a
safety valve). If $HOME_NET has been changed from default (for
example, to 192.168.1.0/24) and $SMTP_SERVERS is left default, than
the source is effectively 'NOT 192.168.1.0/24' which would never
match. IMHO, neither case breaks anything, and the variables should
be defined.

I've tested this on my network, but as always YMMV.

Thanks,

- Chris


<Prev in Thread] Current Thread [Next in Thread>
Google Custom Search

Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Navigation