lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: pdt at (Paul Tinsley)
Subject: [Snort-sigs] Re: Mystery DNS Changes

    Yep it would, I threw those up real quick just to try and get some 
visibility as to how much we were being affected by it.  Didn't put much 
thought into it.  Just out of curiosity how many of those out there who 
are using this or other similar rules are still seeing traffic to those 
servers?  I have seen a steady flow of them even though the servers that 
were distributing the malicious code seem to be down.
    I have written a script that gives me (from proxy logs) the union of 
all URLS visited by those "infected" and I can't seem to track down a 
common url that looks to be an infection vector.  Has anybody seen a 
mail based version of this?

Paul Schmehl wrote:

> --On Thursday, October 02, 2003 6:29 AM -0500 Paul Tinsley 
> <> wrote:
>> Someone brought to my attention that I neglected udp (thank you Adam),
>> sorry about that I was in a hurry when I posted this, there is another
>> just like the tcp one that says udp :)  Both are being triggered by the
>> clients affected as one would expect, so for full coverage, do both.
> Wouldn't it make more sense to use:
> alert ip $HOME_NET any > $MAL_DNS 53 blah, blah, blah....instead of 
> having two rules?
> (That's what I'm using, and it's working fine.)
> Paul Schmehl (
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:

Powered by blists - more mailing lists