[Emerging-Sigs] Fast Flux DNS sigs

[David Glosser]

I know there was some work on fast flux DNS sigs (ttl <60 secs), but which
generated false positives as google and others use ttls of less than 60
seconds.

Can a "white list" of valid domains (google, yahoo, cnn, etc) be generated
which would not trip the sig, maybe using some sort of dynamic rule?

Or would such a list be too long?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080214/db247e1a/attachment.html