[Snort-sigs] What's wrong with this rule?

Paul Schmehl pauls at ...1311...
Fri Aug 6 10:52:01 EDT 2004

--On Friday, August 06, 2004 01:20:58 PM -0400 sekure <sekure at ...2420...> 

> Perhaps your $EXTERNAL_NET is not defined properly.
> If it's just defined as "any" then it'll include internal hosts in it
> and you'll capture traffice from ANY DNS server (except the GOOD_DNS)
> to any host.
> If it's defined as "!$HOME_NET" then make sure that $HOME_NET includes
> ALL of the internal hosts.
> Other than that, i think it looks good.
var HOME_NET [my ranges]

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list