[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] suggested rule change
From: jonkman () jonkmans ! com (Matt Jonkman)
Date: 2008-02-22 15:05:13
Message-ID: 47BEE4A9.5080706 () jonkmans ! com
[Download RAW message or body]
I think that's a good change to make. Posting now, thanks Jack
Matt
Jack Pepper wrote:
> on rule 2003330, rev:3.
>
> I would suggest changing the "!$SMTP_SERVERS" field to be
> "![$DNS_SERVERS,$SMTP_SERVERS]". This will prevent a few bogus hits.
>
> before:
> alert udp !$SMTP_SERVERS any -> $DNS_SERVERS 53 (msg:"ET POLICY
> Possible Spambot -- Host DNS MX Query High Count"; content: "|01 00|";
> offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8;
> threshold:type both, count 30, seconds 10, track by_src;
> classtype:bad-unknown; sid:2003330; rev:3;)
>
>
> after:
> alert udp ![$DNS_SERVERS,$SMTP_SERVERS] any -> $DNS_SERVERS 53
> (msg:"ET POLICY Possible Spambot -- Host DNS MX Query High Count";
> content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|";
> distance: 8; threshold:type both, count 30, seconds 10, track by_src;
> classtype:bad-unknown; sid:2003330; rev:4;)
>
> jp
>
>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic