|
Full Disclosure
mailing list archives
Re: [Snort-sigs] Re: Mystery DNS Changes
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 03 Oct 2003 19:07:40 -0500
--On Thursday, October 02, 2003 6:29 AM -0500 Paul Tinsley
<pdt () jackhammer org> wrote:
Someone brought to my attention that I neglected udp (thank you Adam),
sorry about that I was in a hurry when I posted this, there is another
just like the tcp one that says udp :) Both are being triggered by the
clients affected as one would expect, so for full coverage, do both.
Wouldn't it make more sense to use:
alert ip $HOME_NET any > $MAL_DNS 53 blah, blah, blah....instead of having
two rules?
(That's what I'm using, and it's working fine.)
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
- RE: Mystery DNS Changes, (continued)
Re: Mystery DNS Changes *Hobbit* (Oct 01)
RE: Mystery DNS Changes Andre Ludwig (Oct 01)
|
Intro
