[Emerging-Sigs] FP ET RBN Known Russian Business Network IP UDP

Matt Jonkman jonkman at jonkmans.com
Mon Feb 1 12:44:45 EST 2010


I understand your point definitely. But if you're blocking there's some
use to blocking dns requests. If they're inbound from an rbn host
they're likely looking to spam you, so blocking dns kills them unless
they use another dns server. If it's an internal host going out you may
be killing an infection.

What kind of requests are you seeing? For legitimate names, or just
malware crud?

Matt

On 2/1/10 5:40 AM, Thierry Chich wrote:
> Hello,
> 
> I have an huge amount of alerts from these rules, mainly because of DNS 
> traffic. It seems there is official DNS Servers in these networks. It 
> seems to me that an alert shoudn't be triggered about a dns request 
> towards these networks. Even if it could be interpreted as the symptom 
> of a compromised host, it is really difficult to find it, since there 
> can be a lot of dns forwarders involved.
> 
> I suggest that this kind of rules take !53 as destination port.
> 
> 
> Thierry Chich
> 
> PS: Don't forget, I am not the sourcefire troll. My english grammar is 
> really poor, and I am really french. It is not a clever ruse.
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

-- 

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc


More information about the Emerging-sigs mailing list