[Emerging-Sigs] Rule 2016016

waldo kitty wkitty42 at windstream.net
Thu Dec 20 07:19:09 HAST 2012

On 12/20/2012 10:55, Nathan wrote:
> Hash: SHA1
> On 12/20/2012 08:54 AM, Lay, James wrote:
>> So far this is a pretty chatty rule.  FYI :D
> It's legit, I had the same thing with 'isc.org' with them asking ANY? isc.org.
> up and down my CIDR /19.  The guy in this case was and all
> traffic was sourced from sport 32767 to dport 53.

i've seen this from only a few times... one was which seems to be 
game2.kfc-css.com... both the address and the base kfc-css.com are listed in 

> I'd give them a firewall block.

that's what i lie about our active response tool... it initiates a firewall 
block for alerts and does it pretty danged quickly, too...

i'm trying to figure out what, exactly, is meant by the rule's MSG text, 
though... "DNS Amplification"??? what are they trying to do, query DNS via our 
DNS server(s) and sending a lot of requests for the same addresses?

More information about the Emerging-sigs mailing list