logo       

Re: Unusually High Client DNS Query Volume -- lots of hits.: msg#00169

security.ids.snort.bleedingsnort

Subject: Re: Unusually High Client DNS Query Volume -- lots of hits.

I'd like to submit the following updated rule:

alert udp !$SMTP_SERVERS any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE \
POLICY Possible Spambot -- Host DNS MX Query High Count"; \
content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|";
distance: 8; \
threshold:type both, count 30, seconds 10, track by_src; classtype:
bad-unknown; \
sid:2003330; rev:2;)

- Added content matches for DNS queries 'content: "|00 01|"; offset:2;
depth:4' and MX querytype 'content: "|00 0f 00 01|"; distance: 8'.
- Changed the source to '!$SMTP_SERVERS' to avoid triggering from
known SMTP servers (interesting behavior - see the note below).
- Reduced the threshold time as the previous changes should be enough
to weed out false positives.
- Modified the classification to 'classtype: bad-unknown' as it seemed
a bit more appropriate as "Potentially Bad Traffic" and a higher
default priority.
- Tweaked the description to 'BLEEDING-EDGE POLICY Possible Spambot --
Host DNS MX Query High Count' to suit personal preference.

Note: There's an interesting behavior to the negation '!' operator in
rule addresses. Left at default where $HOME_NET is 'any' and
$SMTP_SERVERS is '$HOME_NET', this rule effectively says 'NOT any'
which shouldn't work, but does (it appears to match any - perhaps as a
safety valve). If $HOME_NET has been changed from default (for
example, to 192.168.1.0/24) and $SMTP_SERVERS is left default, than
the source is effectively 'NOT 192.168.1.0/24' which would never
match. IMHO, neither case breaks anything, and the variables should
be defined.

I've tested this on my network, but as always YMMV.

Thanks,

- Chris


<Prev in Thread] Current Thread [Next in Thread>
Google Custom Search

News | FAQ | advertise