|
|
Re: Unusually High Client DNS Query Volume -- lots of hits.: msg#00195security.ids.snort.bleedingsnort
They're not in your DNS_SERVERS var? Guess they wouldn't be. Maybe add a new var for $HIGH_DNS_USERS :) Matt Russell Fulton wrote: > > Matt Jonkman wrote: >> That's a much better sig than the original. Whoever wrote that original >> one is some kind of moron... :) >> >> I'll post this asap. Appreciate you expanding on the concept! >> >> > BLEEDING-EDGE POLICY Possible Spambot -- Host DNS MX Query High Count > <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20%20&signame=BLEEDING-EDGE%20POLICY%20Possible%20Spambot%20--%20Host%20DNS%20MX%20Query%20High%20Count%20&ipdst=distinct%20&groupby=signatures> > is *much* better I'm getting thousands of hits off the foundry boxes in > front of our MTAs and bugger all else! I'll tweak the oinkmaster > config to change the source field and all should be hunky dory! > > Thanks Chris! > > Russell > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Unusually High Client DNS Query Volume -- lots of hits.: 00195, Russell Fulton |
|---|---|
| Previous by Thread: | Re: Unusually High Client DNS Query Volume -- lots of hits.i: 00195, Russell Fulton |
| Next by Thread: | New Web Sigs: 00195, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |