[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] suggested rule change
From:       jonkman () jonkmans ! com (Matt Jonkman)
Date:       2008-02-22 15:05:13
Message-ID: 47BEE4A9.5080706 () jonkmans ! com
[Download RAW message or body]

I think that's a good change to make. Posting now, thanks Jack

Matt

Jack Pepper wrote:
> on rule 2003330, rev:3.
> 
> I would suggest changing the "!$SMTP_SERVERS" field to be  
> "![$DNS_SERVERS,$SMTP_SERVERS]".  This will prevent a few bogus hits.
> 
> before:
> alert udp !$SMTP_SERVERS any -> $DNS_SERVERS 53 (msg:"ET POLICY  
> Possible Spambot -- Host DNS MX Query High Count"; content: "|01 00|";  
> offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8;  
> threshold:type both, count 30, seconds 10, track by_src;  
> classtype:bad-unknown; sid:2003330; rev:3;)
> 
> 
> after:
> alert udp ![$DNS_SERVERS,$SMTP_SERVERS] any -> $DNS_SERVERS 53  
> (msg:"ET POLICY Possible Spambot -- Host DNS MX Query High Count";  
> content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|";  
> distance: 8; threshold:type both, count 30, seconds 10, track by_src;  
> classtype:bad-unknown; sid:2003330; rev:4;)
> 
> jp
> 
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



[prev in list] [next in list] [prev in thread] [next in thread]