Full Disclosure mailing list archives
Re: [Snort-sigs] Re: Mystery DNS Changes
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 03 Oct 2003 19:07:40 -0500
--On Thursday, October 02, 2003 6:29 AM -0500 Paul Tinsley <pdt () jackhammer org> wrote:
Someone brought to my attention that I neglected udp (thank you Adam), sorry about that I was in a hurry when I posted this, there is another just like the tcp one that says udp :) Both are being triggered by the clients affected as one would expect, so for full coverage, do both.
Wouldn't it make more sense to use:alert ip $HOME_NET any > $MAL_DNS 53 blah, blah, blah....instead of having two rules?
(That's what I'm using, and it's working fine.) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Mystery DNS Changes, (continued)
- Message not available
- Re: Mystery DNS Changes Mike Tancsa (Oct 01)
- Message not available
- Re: Mystery DNS Changes Danny Pansters (Oct 01)
- Re: Mystery DNS Changes Joe Stewart (Oct 02)
- RE: Mystery DNS Changes Brown, James (Jim) (Oct 01)
- RE: Mystery DNS Changes Schmehl, Paul L (Oct 01)
- RE: Mystery DNS Changes David Vincent (Oct 01)
- RE: Mystery DNS Changes tom_gordon (Oct 01)
- RE: Mystery DNS Changes Harris, Michael C. (Oct 01)
- Re: Mystery DNS Changes Paul Tinsley (Oct 01)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 02)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 03)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
- Re: Mystery DNS Changes Paul Tinsley (Oct 01)
- RE: Mystery DNS Changes Kurt (Oct 02)
- Re: Mystery DNS Changes Joe Stewart (Oct 02)
- Re: Mystery DNS Changes Paul Tinsley (Oct 02)