|
|
|
Choosing A Webhost: |
Re: Unusually High Client DNS Query Volume -- lots of hits.: msg#00170security.ids.snort.bleedingsnort
That's a much better sig than the original. Whoever wrote that original one is some kind of moron... :) I'll post this asap. Appreciate you expanding on the concept! Matt Chris Byrd wrote: > I'd like to submit the following updated rule: > > alert udp !$SMTP_SERVERS any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE \ > POLICY Possible Spambot -- Host DNS MX Query High Count"; \ > content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|"; > distance: 8; \ > threshold:type both, count 30, seconds 10, track by_src; classtype: > bad-unknown; \ > sid:2003330; rev:2;) > > - Added content matches for DNS queries 'content: "|00 01|"; offset:2; > depth:4' and MX querytype 'content: "|00 0f 00 01|"; distance: 8'. > - Changed the source to '!$SMTP_SERVERS' to avoid triggering from > known SMTP servers (interesting behavior - see the note below). > - Reduced the threshold time as the previous changes should be enough > to weed out false positives. > - Modified the classification to 'classtype: bad-unknown' as it seemed > a bit more appropriate as "Potentially Bad Traffic" and a higher > default priority. > - Tweaked the description to 'BLEEDING-EDGE POLICY Possible Spambot -- > Host DNS MX Query High Count' to suit personal preference. > > Note: There's an interesting behavior to the negation '!' operator in > rule addresses. Left at default where $HOME_NET is 'any' and > $SMTP_SERVERS is '$HOME_NET', this rule effectively says 'NOT any' > which shouldn't work, but does (it appears to match any - perhaps as a > safety valve). If $HOME_NET has been changed from default (for > example, to 192.168.1.0/24) and $SMTP_SERVERS is left default, than > the source is effectively 'NOT 192.168.1.0/24' which would never > match. IMHO, neither case breaks anything, and the variables should > be defined. > > I've tested this on my network, but as always YMMV. > > Thanks, > > - Chris > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc
|
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Unusually High Client DNS Query Volume -- lots of hits., Chris Byrd |
|---|---|
| Next by Date: | Re: P0F in Snort?, tom |
| Previous by Thread: | Re: Unusually High Client DNS Query Volume -- lots of hits., Chris Byrd |
| Next by Thread: | Re: Unusually High Client DNS Query Volume -- lots of hits., Russell Fulton |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
Free MagazinesCisco NewsReceive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business. subscribe Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field. subscribe The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business. subscribe Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company. subscribe Total Telecom Total Telecom is "The Economist of the communications industry". subscribe |
