[Emerging-Sigs] Spyware DNS rules
Jack Pepper
pepperjack at afferentsecurity.com
Wed Feb 20 09:14:19 EST 2008
Quoting David Glosser <david.glosser at gmail.com>:
> If the site is using the dns-bh list or a good content filter then the hits
> will just contain a query for the IP address, which won't correspond to a
> visit to the actual web site, correct?
If a site is using dns-bh, then the lookup by the workstation will be
redirected to listening post or loopback, or whatever. So the lookup
itself is harmless.
What the hit on the lookup indicates is that the dumass user clicked
on something shiny, or has spyware installed, or visited a site that
tried to do a driveby install.
If a site uses these rules without using dns-bh, then it indicates the
sysadmin has a craving for huge alert files and big numbers in the
management reports: "hey boss we got 150000 hits on snort rules! I'm
doing something important!".
jp
--
Framework? I don't need no steenking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list