[Snort-sigs] BOTNET-CNC Possible host infection - excessive DNS queries for .eu

Community Signatures lists at ...3397...
Mon Mar 12 11:21:19 EDT 2012


On 03/12/12 10:14, Martin Holste wrote:
> The sig, as written, will false like crazy on any medium or large
> sized network because it does not take into account DNS servers or
> SMTP servers (or spam gateways) which do a lot of DNS lookups.

I dunno, "detection_filter:track by_src, count 100, seconds 10;" -- even
in this high volume networks I would tend to agree that 10
queries/second is suspicious when 100 after 10 seconds is reached.

Thanks,
Nathan





More information about the Snort-sigs mailing list