[Emerging-Sigs] Rule 2016016

James Lay jlay at slave-tothe-box.net
Fri Dec 21 05:30:36 HAST 2012


Could we possible make $DNS_SERVERS?

alert udp any any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS DNS 
Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 
01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 
01 00 00 29 10|"; within:8; fast_pattern; threshold: type limit, track 
by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016016; rev:4;)

Just a thought.

James


More information about the Emerging-sigs mailing list