I have written a script that gives me (from proxy logs) the union of all URLS visited by those "infected" and I can't seem to track down a common url that looks to be an infection vector. Has anybody seen a mail based version of this?
Paul Schmehl wrote:
--On Thursday, October 02, 2003 6:29 AM -0500 Paul Tinsley <[EMAIL PROTECTED]> wrote:
Someone brought to my attention that I neglected udp (thank you Adam), sorry about that I was in a hurry when I posted this, there is another just like the tcp one that says udp :) Both are being triggered by the clients affected as one would expect, so for full coverage, do both.
Wouldn't it make more sense to use:
alert ip $HOME_NET any > $MAL_DNS 53 blah, blah, blah....instead of having two rules?
(That's what I'm using, and it's working fine.)
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
