Home page logo

snort logo Snort mailing list archives

Re: External DNS response
From: James Lay <jlay () slave-tothe-box net>
Date: Sun, 21 Apr 2013 17:44:02 -0600

On Apr 21, 2013, at 1:16 PM, Joel Esler <jesler () sourcefire com> wrote:

On Apr 21, 2013, at 10:01 AM, lists () packetmail net wrote:
On 04/20/2013 09:43 AM, James Lay wrote:
Yea so this rule is a semi bust due to exactly where you hit it Nathan…RBL and SBL lookups will FP on this.  That 
being said however this rule might be helpful in organizations that don't host their own mail server

Yeah, I agree, good rule and good idea, thanks as always James for your ideas
and sigs.  I was trying to think of a way to negate SMTP_SERVERS but since this
relies on DNS it's going to hit the recursive forwarders at some point in a
network and trigger.

So are we saying this is a good fit for the ruleset?  Or no?


I would say include but disable…maybe with with a comment #will FP on RBL/SPF lookups?  Just a thought…I'm going to run 
it especially on intern networks.

Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]