|
|
Re: Unusually High Client DNS Query Volume -- lots of hits.: msg#00170security.ids.snort.bleedingsnort
That's a much better sig than the original. Whoever wrote that original one is some kind of moron... :) I'll post this asap. Appreciate you expanding on the concept! Matt Chris Byrd wrote: > I'd like to submit the following updated rule: > > alert udp !$SMTP_SERVERS any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE \ > POLICY Possible Spambot -- Host DNS MX Query High Count"; \ > content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|"; > distance: 8; \ > threshold:type both, count 30, seconds 10, track by_src; classtype: > bad-unknown; \ > sid:2003330; rev:2;) > > - Added content matches for DNS queries 'content: "|00 01|"; offset:2; > depth:4' and MX querytype 'content: "|00 0f 00 01|"; distance: 8'. > - Changed the source to '!$SMTP_SERVERS' to avoid triggering from > known SMTP servers (interesting behavior - see the note below). > - Reduced the threshold time as the previous changes should be enough > to weed out false positives. > - Modified the classification to 'classtype: bad-unknown' as it seemed > a bit more appropriate as "Potentially Bad Traffic" and a higher > default priority. > - Tweaked the description to 'BLEEDING-EDGE POLICY Possible Spambot -- > Host DNS MX Query High Count' to suit personal preference. > > Note: There's an interesting behavior to the negation '!' operator in > rule addresses. Left at default where $HOME_NET is 'any' and > $SMTP_SERVERS is '$HOME_NET', this rule effectively says 'NOT any' > which shouldn't work, but does (it appears to match any - perhaps as a > safety valve). If $HOME_NET has been changed from default (for > example, to 192.168.1.0/24) and $SMTP_SERVERS is left default, than > the source is effectively 'NOT 192.168.1.0/24' which would never > match. IMHO, neither case breaks anything, and the variables should > be defined. > > I've tested this on my network, but as always YMMV. > > Thanks, > > - Chris > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Unusually High Client DNS Query Volume -- lots of hits.: 00170, Chris Byrd |
|---|---|
| Next by Date: | Re: P0F in Snort?: 00170, tom |
| Previous by Thread: | Re: Unusually High Client DNS Query Volume -- lots of hits.i: 00170, Chris Byrd |
| Next by Thread: | Re: Unusually High Client DNS Query Volume -- lots of hits.: 00170, Russell Fulton |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |