Re: External DNS 127.0.0.1 response

[James Lay <jlay () slave-tothe-box net>]

On Apr 21, 2013, at 1:16 PM, Joel Esler <jesler () sourcefire com> wrote:

> On Apr 21, 2013, at 10:01 AM, lists () packetmail net wrote:
> > On 04/20/2013 09:43 AM, James Lay wrote:
> > > Yea so this rule is a semi bust due to exactly where you hit it Nathan…RBL and SBL lookups will FP on this.  That 
> > > being said however this rule might be helpful in organizations that don't host their own mail server
> >
> > Yeah, I agree, good rule and good idea, thanks as always James for your ideas
> > and sigs.  I was trying to think of a way to negate SMTP_SERVERS but since this
> > relies on DNS it's going to hit the recursive forwarders at some point in a
> > network and trigger.
>
> So are we saying this is a good fit for the ruleset?  Or no?
>
> Joel

I would say include but disable…maybe with with a comment #will FP on RBL/SPF lookups?  Just a thought…I'm going to run 
it especially on intern networks.

James

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!