Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] Re: Mystery DNS Changes

From: Paul Tinsley <pdt () jackhammer org>
Date: Fri, 03 Oct 2003 20:10:08 -0500
Yep it would, I threw those up real quick just to try and get some visibility as to how much we were being affected by it. Didn't put much thought into it. Just out of curiosity how many of those out there who are using this or other similar rules are still seeing traffic to those servers? I have seen a steady flow of them even though the servers that were distributing the malicious code seem to be down. I have written a script that gives me (from proxy logs) the union of all URLS visited by those "infected" and I can't seem to track down a common url that looks to be an infection vector. Has anybody seen a mail based version of this? 

Paul Schmehl wrote:
--On Thursday, October 02, 2003 6:29 AM -0500 Paul Tinsley <pdt () jackhammer org> wrote: 


Someone brought to my attention that I neglected udp (thank you Adam),
sorry about that I was in a hurry when I posted this, there is another
just like the tcp one that says udp :)  Both are being triggered by the
clients affected as one would expect, so for full coverage, do both.



Wouldn't it make more sense to use:
alert ip $HOME_NET any > $MAL_DNS 53 blah, blah, blah....instead of having two rules? 

(That's what I'm using, and it's working fine.)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: