[Snort-sigs] External DNS response

Joel Esler jesler at ...435...
Sun Apr 21 15:16:27 EDT 2013

On Apr 21, 2013, at 10:01 AM, lists at ...3397... wrote:
> On 04/20/2013 09:43 AM, James Lay wrote:
>> Yea so this rule is a semi bust due to exactly where you hit it Nathan…RBL and SBL lookups will FP on this.  That being said however this rule might be helpful in organizations that don't host their own mail server
> Yeah, I agree, good rule and good idea, thanks as always James for your ideas
> and sigs.  I was trying to think of a way to negate SMTP_SERVERS but since this
> relies on DNS it's going to hit the recursive forwarders at some point in a
> network and trigger.

So are we saying this is a good fit for the ruleset?  Or no?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130421/6532a498/attachment.html>

More information about the Snort-sigs mailing list