[Emerging-Sigs] suggested rule change
Jack Pepper
pepperjack at afferentsecurity.com
Fri Feb 22 09:33:23 EST 2008
on rule 2003330, rev:3.
I would suggest changing the "!$SMTP_SERVERS" field to be
"![$DNS_SERVERS,$SMTP_SERVERS]". This will prevent a few bogus hits.
before:
alert udp !$SMTP_SERVERS any -> $DNS_SERVERS 53 (msg:"ET POLICY
Possible Spambot -- Host DNS MX Query High Count"; content: "|01 00|";
offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8;
threshold:type both, count 30, seconds 10, track by_src;
classtype:bad-unknown; sid:2003330; rev:3;)
after:
alert udp ![$DNS_SERVERS,$SMTP_SERVERS] any -> $DNS_SERVERS 53
(msg:"ET POLICY Possible Spambot -- Host DNS MX Query High Count";
content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|";
distance: 8; threshold:type both, count 30, seconds 10, track by_src;
classtype:bad-unknown; sid:2003330; rev:4;)
jp
--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list