Snort mailing list archives

Previous By Date Next
Previous By Thread Next

SOHO Pharming sigs

From: Jamie Riden <jamie.riden () gmail com>
Date: Tue, 4 Mar 2014 08:30:24 +0000
Someone already probably did these, and did them better :)



alert udp any any -> 5.45.75.11 53 (msg:"DNS traffic to IP address
identified by Team Cymru in SOHO Pharming paper";)
alert tcp any any -> 5.45.75.11 53 (msg:"DNS traffic to IP address
identified by Team Cymru in SOHO Pharming paper";)

alert udp any any -> 5.45.75.36 53 (msg:"DNS traffic to IP address
identified by Team Cymru in SOHO Pharming paper";)
alert tcp any any -> 5.45.75.36 53 (msg:"DNS traffic to IP address
identified by Team Cymru in SOHO Pharming paper";)

ref: https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf


cheers,
 Jamie

-- 
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: