[Emerging-Sigs] Rule 2016016
wkitty42 at windstream.net
Thu Dec 20 07:19:09 HAST 2012
On 12/20/2012 10:55, Nathan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 12/20/2012 08:54 AM, Lay, James wrote:
>> So far this is a pretty chatty rule. FYI :D
> It's legit, I had the same thing with 'isc.org' with them asking ANY? isc.org.
> up and down my CIDR /19. The guy in this case was 22.214.171.124 and all
> traffic was sourced from sport 32767 to dport 53.
i've seen this from only a few times... one was 126.96.36.199 which seems to be
game2.kfc-css.com... both the address and the base kfc-css.com are listed in
> I'd give them a firewall block.
that's what i lie about our active response tool... it initiates a firewall
block for alerts and does it pretty danged quickly, too...
i'm trying to figure out what, exactly, is meant by the rule's MSG text,
though... "DNS Amplification"??? what are they trying to do, query DNS via our
DNS server(s) and sending a lot of requests for the same addresses?
More information about the Emerging-sigs