[Snort-sigs] External DNS 127.0.0.1 response

James Lay jlay at ...3266...
Sun Apr 21 19:44:02 EDT 2013


On Apr 21, 2013, at 1:16 PM, Joel Esler <jesler at ...435...> wrote:

> On Apr 21, 2013, at 10:01 AM, lists at ...3397... wrote:
>> On 04/20/2013 09:43 AM, James Lay wrote:
>>> Yea so this rule is a semi bust due to exactly where you hit it Nathan…RBL and SBL lookups will FP on this.  That being said however this rule might be helpful in organizations that don't host their own mail server
>> 
>> Yeah, I agree, good rule and good idea, thanks as always James for your ideas
>> and sigs.  I was trying to think of a way to negate SMTP_SERVERS but since this
>> relies on DNS it's going to hit the recursive forwarders at some point in a
>> network and trigger.
> 
> So are we saying this is a good fit for the ruleset?  Or no?
> 
> Joel

I would say include but disable…maybe with with a comment #will FP on RBL/SPF lookups?  Just a thought…I'm going to run it especially on intern networks.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130421/9a183126/attachment.html>


More information about the Snort-sigs mailing list