[Emerging-Sigs] Spyware DNS
James Pleger
jpleger at gmail.com
Thu Feb 21 01:20:08 EST 2008
Can't you just resolve all of your blackholed DNS to a specific response
that you can create an IDS signature for? It would require having the ids
between the DNS servers and the clients, but wouldn't it be a bit easier?
It is a bit late, so my thoughts may be scattered on what you are trying to
get done :P
--James
On Wed, Feb 20, 2008 at 9:49 PM, Jim McQuaid <jim.mcquaid at gmail.com> wrote:
> "What the hit on the lookup indicates is that the dumass user clicked
> on something shiny, or has spyware installed, or visited a site that
> tried to do a driveby install."
>
> I have 113,000 objects blackholed, and cannot run the corresponding
> snort sigs without dedicating an entire box to it. What I want is a
> DNS-generated entry in my IDS or firewall logs indicating the local
> machine that made the connection attempt, and the blacklisted object
> by name, and I want to do this without using Squid. A succinct, plain
> text log would suffice. So, I've retrieved my handful of DNS
> programming books.
>
> James McQuaid
>
>
>
> --
> James McQuaid
> http://www.jamesmcquaid.com
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080220/139fb796/attachment-0001.html
More information about the Emerging-sigs
mailing list