[Emerging-Sigs] Rule 2016016

Leonard Jacobs ljacobs at netsecuris.com
Thu Dec 20 05:19:13 HAST 2012


We have seen this one quite a bit but the source is always from places we don't want traffic from.

Leonard Jacobs, MBA, CISSP
President/CEO
Netsecuris Inc.
P 952-641-1421 ext. 20
http://www.netsecuris.com
      _____  

  From: Lay, James [mailto:james.lay at wincofoods.com]
To: emerging-sigs at emergingthreats.net
Sent: Thu, 20 Dec 2012 08:54:04 -0600
Subject: [Emerging-Sigs] Rule 2016016

Rule:
alert udp any any -> $HOME_NET 53 (msg:"ET CURRENT_EVENTS DNS
Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00
01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00
01 00 00 29 10|"; within:8; fast_pattern; threshold: type limit, track
by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016016; rev:4;)

Hex:
2A 39 01 00 00 01 00 00 00 00 00 01 03 69 73 63
03 6F 72 67 00 00 FF 00 01 00 00 29 10 00 00 00
80 00 00 00

Text dump:
*9...........isc
.org.......)....
....

So far this is a pretty chatty rule. FYI :D

James
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
      
   
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121220/152470f3/attachment.html>


More information about the Emerging-sigs mailing list