Someone brought to my attention that I neglected udp (thank you Adam), sorry about that I was in a hurry when I posted this, there is another just like the tcp one that says udp :) Both are being triggered by the clients affected as one would expect, so for full coverage, do both.
Wouldn't it make more sense to use:
alert ip $HOME_NET any > $MAL_DNS 53 blah, blah, blah....instead of having two rules?
(That's what I'm using, and it's working fine.)
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
