'Re: [Snort-sigs] External DNS 127.0.0.1 response'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] External DNS 127.0.0.1 response
From:       James Lay <jlay () slave-tothe-box ! net>
Date:       2013-04-21 23:44:02
Message-ID: 10007168-1C9A-4968-9E26-1D88366D5D0A () slave-tothe-box ! net
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Apr 21, 2013, at 1:16 PM, Joel Esler <jesler@sourcefire.com> wrote:

> On Apr 21, 2013, at 10:01 AM, lists@packetmail.net wrote:
> > On 04/20/2013 09:43 AM, James Lay wrote:
> > > Yea so this rule is a semi bust due to exactly where you hit it Nathan…RBL and \
> > > SBL lookups will FP on this.  That being said however this rule might be \
> > > helpful in organizations that don't host their own mail server
> > 
> > Yeah, I agree, good rule and good idea, thanks as always James for your ideas
> > and sigs.  I was trying to think of a way to negate SMTP_SERVERS but since this
> > relies on DNS it's going to hit the recursive forwarders at some point in a
> > network and trigger.
> 
> So are we saying this is a good fit for the ruleset?  Or no?
> 
> Joel

I would say include but disable…maybe with with a comment #will FP on RBL/SPF \
lookups?  Just a thought…I'm going to run it especially on intern networks.

James


[Attachment #5 (unknown)]

<html><head><meta http-equiv="Content-Type" content="text/html \
charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: \
space; -webkit-line-break: after-white-space; "><br><div><div>On Apr 21, 2013, at \
1:16 PM, Joel Esler &lt;<a \
href="mailto:jesler@sourcefire.com">jesler@sourcefire.com</a>&gt; wrote:</div><br \
class="Apple-interchange-newline"><blockquote type="cite"><meta \
http-equiv="Content-Type" content="text/html charset=windows-1252"><div \
style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space; "><div><div>On Apr 21, 2013, at 10:01 AM, <a \
href="mailto:lists@packetmail.net">lists@packetmail.net</a> wrote:</div><blockquote \
type="cite"><span style="font-family: Helvetica; font-size: medium; font-style: \
normal; font-variant: normal; font-weight: normal; letter-spacing: normal; \
line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; \
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; \
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline \
!important; float: none; ">On 04/20/2013 09:43 AM, James Lay wrote:</span><br \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; "><blockquote type="cite" style="font-family: \
Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: \
normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: \
-webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; \
word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; \
">Yea so this rule is a semi bust due to exactly where you hit it Nathan…RBL and SBL \
lookups will FP on this. &nbsp;That being said however this rule might be helpful in \
organizations that don't host their own mail server<br></blockquote><br \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; "><span style="font-family: Helvetica; font-size: \
medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline \
!important; float: none; ">Yeah, I agree, good rule and good idea, thanks as always \
James for your ideas</span><br style="font-family: Helvetica; font-size: medium; \
font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: \
normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; \
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; \
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; ">and sigs. \
&nbsp;I was trying to think of a way to negate SMTP_SERVERS but since this</span><br \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; "><span style="font-family: Helvetica; font-size: \
medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline \
!important; float: none; ">relies on DNS it's going to hit the recursive forwarders \
at some point in a</span><br style="font-family: Helvetica; font-size: medium; \
font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: \
normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; \
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; \
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; ">network \
and trigger.</span><br style="font-family: Helvetica; font-size: medium; font-style: \
normal; font-variant: normal; font-weight: normal; letter-spacing: normal; \
line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; \
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; \
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; \
"></blockquote></div><br><div>So are we saying this is a good fit for the ruleset? \
&nbsp;Or no?</div><div><br></div><div>Joel</div></div></blockquote></div><br><div>I \
would say include but disable…maybe with with a comment #will FP on RBL/SPF lookups? \
&nbsp;Just a thought…I'm going to run it especially on intern \
networks.</div><div><br></div><div>James</div></body></html>



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic