[Emerging-Sigs] suggested rule change
Matt Jonkman
jonkman at jonkmans.com
Fri Feb 22 10:05:13 EST 2008
I think that's a good change to make. Posting now, thanks Jack
Matt
Jack Pepper wrote:
> on rule 2003330, rev:3.
>
> I would suggest changing the "!$SMTP_SERVERS" field to be
> "![$DNS_SERVERS,$SMTP_SERVERS]". This will prevent a few bogus hits.
>
> before:
> alert udp !$SMTP_SERVERS any -> $DNS_SERVERS 53 (msg:"ET POLICY
> Possible Spambot -- Host DNS MX Query High Count"; content: "|01 00|";
> offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8;
> threshold:type both, count 30, seconds 10, track by_src;
> classtype:bad-unknown; sid:2003330; rev:3;)
>
>
> after:
> alert udp ![$DNS_SERVERS,$SMTP_SERVERS] any -> $DNS_SERVERS 53
> (msg:"ET POLICY Possible Spambot -- Host DNS MX Query High Count";
> content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|";
> distance: 8; threshold:type both, count 30, seconds 10, track by_src;
> classtype:bad-unknown; sid:2003330; rev:4;)
>
> jp
>
>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list