#by many very smart people
# This may be a high load sig. Take time and seriously consider
# that your dns_servers var is set as narrowly as possible
alert udp any 53 -> $DNS_SERVERS any (msg:"ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; sid:2008446; rev:8;)
#this will catch large numbers of nxdomain replies, a sign that someone may be trying to poison you
alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter"; byte_test:1,&,128,2; byte_test:1,&,3,1,relative; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; sid:2008470; rev:1;)
Emerging Threats Rulesets <threats@emergingthreats.net>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to CURRENT_DNS_Poisoning CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [Emerging Threats] / sigs / CURRENT_EVENTS