[Snort-sigs] Re: [Full-Disclosure] Mystery DNS Changes
Paul Schmehl
pauls at utdallas.edu
Sat Oct 4 01:07:40 BST 2003
--On Thursday, October 02, 2003 6:29 AM -0500 Paul Tinsley
<pdt at jackhammer.org> wrote:
> Someone brought to my attention that I neglected udp (thank you Adam),
> sorry about that I was in a hurry when I posted this, there is another
> just like the tcp one that says udp :) Both are being triggered by the
> clients affected as one would expect, so for full coverage, do both.
Wouldn't it make more sense to use:
alert ip $HOME_NET any > $MAL_DNS 53 blah, blah, blah....instead of having
two rules?
(That's what I'm using, and it's working fine.)
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
Full-Disclosure is hosted and sponsored by Secunia.