[Snort-sigs] External DNS 127.0.0.1 response

lists at ...3397... lists at ...3397...
Sun Apr 21 10:01:00 EDT 2013


On 04/20/2013 09:43 AM, James Lay wrote:
> Yea so this rule is a semi bust due to exactly where you hit it Nathan…RBL and SBL lookups will FP on this.  That being said however this rule might be helpful in organizations that don't host their own mail server

Yeah, I agree, good rule and good idea, thanks as always James for your ideas
and sigs.  I was trying to think of a way to negate SMTP_SERVERS but since this
relies on DNS it's going to hit the recursive forwarders at some point in a
network and trigger.

Cheers,
Nathan




More information about the Snort-sigs mailing list