Snort mailing list archives
Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu
From: Community Signatures <lists () packetmail net>
Date: Mon, 12 Mar 2012 10:21:19 -0500
On 03/12/12 10:14, Martin Holste wrote:
The sig, as written, will false like crazy on any medium or large sized network because it does not take into account DNS servers or SMTP servers (or spam gateways) which do a lot of DNS lookups.
I dunno, "detection_filter:track by_src, count 100, seconds 10;" -- even in this high volume networks I would tend to agree that 10 queries/second is suspicious when 100 after 10 seconds is reached. Thanks, Nathan ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- BOTNET-CNC Possible host infection - excessive DNS queries for .eu Yew Chuan Ong (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Alex Kirk (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Community Signatures (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Alex Kirk (Mar 12)