Home page logo
/

snort logo Snort mailing list archives

Re: External DNS 127.0.0.1 response
From: Joel Esler <jesler () sourcefire com>
Date: Sun, 21 Apr 2013 15:16:27 -0400

On Apr 21, 2013, at 10:01 AM, lists () packetmail net wrote:
On 04/20/2013 09:43 AM, James Lay wrote:
Yea so this rule is a semi bust due to exactly where you hit it Nathan…RBL and SBL lookups will FP on this.  That 
being said however this rule might be helpful in organizations that don't host their own mail server

Yeah, I agree, good rule and good idea, thanks as always James for your ideas
and sigs.  I was trying to think of a way to negate SMTP_SERVERS but since this
relies on DNS it's going to hit the recursive forwarders at some point in a
network and trigger.

So are we saying this is a good fit for the ruleset?  Or no?

Joel
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault