On 06.01.2011 15:13 CE(S)T, Mark Martinec wrote:
> --- Botnet.pm.ori 2007-08-06 03:53:55.0 +0200
> +++ Botnet.pm 2011-01-06 14:56:12.009017547 +0100
> @@ -703,4 +703,6 @@
> my ($resolver, $query, $rr, $i, @a);
>
> + return 1 if defined $ip && $ip =~ /:/; # does not handle IPv6
On 06.01.2011 15:13 CE(S)T, Mark Martinec wrote:
> Nertheless, out of necessity, here is a quick hack to prevent
> Botnet FPs on IPv6 connections (that came with a bunch of
> emitted warnings that accompanied each such mail message).
Thank you very much for your IPv6 patch. I've seen the problem m
> On 1/5/2011 5:11 PM, Mark Martinec wrote:
> > Btw, the BOTNET plugin also produces a FP hit for any IPv6 connection,
> > regardless of its rDNS. If someone is interested in a quick hack
> > patch, I can post it.
>
> Mark, please do post the patch. It's good to see that someone is
> supporting t
On 6.1.2011 15:42, Henrik K wrote:
> On Thu, Jan 06, 2011 at 02:46:30PM +0200, Jari Fredriksson wrote:
>> On 6.1.2011 0:10, Lawrence @ Rogers wrote:
>>>
>>> I would remove the p0f and botnet rules if I were you. That would solve
>>> your problem.
>>>
>>
>> I find BOTNET an excellent addition to my
On Thu, Jan 06, 2011 at 02:46:30PM +0200, Jari Fredriksson wrote:
> On 6.1.2011 0:10, Lawrence @ Rogers wrote:
> >
> > I would remove the p0f and botnet rules if I were you. That would solve
> > your problem.
> >
>
> I find BOTNET an excellent addition to my SA.
Of course it is, most spam is fr
On 6.1.2011 0:10, Lawrence @ Rogers wrote:
>
> I would remove the p0f and botnet rules if I were you. That would solve
> your problem.
>
I find BOTNET an excellent addition to my SA.
TOP SPAM RULES FIRED
--
RANKRULE NAME
On ons 05 jan 2011 23:10:41 CET, "Lawrence @ Rogers" wrote
I would remove the p0f and botnet rules if I were you. That would
solve your problem.
it will not solve it for others unless reverse dns is solved aswell
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
On ons 05 jan 2011 22:52:41 CET, Michael Monnerie wrote
I received this info from a customer, whose order confirmation from the
londontheatredirect.com got marked as spam because of BOTNET* rules. Are
those rules too old, or is that server in a botnet? How to find out?
Or which rules scores shou
On 1/5/2011 5:11 PM, Mark Martinec wrote:
Combining p0f with BOTNET is indended to *reduce* the high number
of false positives that BOTNET alone produces, *at least* for the
non-windows machines. The windows hosts are left alone and are
not protected by p0f from BOTNET FP.
If someone is scoring
Combining p0f with BOTNET is indended to *reduce* the high number
of false positives that BOTNET alone produces, *at least* for the
non-windows machines. The windows hosts are left alone and are
not protected by p0f from BOTNET FP.
If someone is scoring p0f in combination with BOTNET differently,
On 05/01/2011 8:38 PM, RW wrote:
Aside from BOTNET_WIN the p0f rules are low-scoring and add-up to zero.
Since BOTNETS are 100% Windows it doesn't seem unreasonable to use p0f
in a metarule. However, you might want to look into this inconsistency:
You are right about the overlapping and one rule
On Wed, 05 Jan 2011 18:40:41 -0330
"Lawrence @ Rogers" wrote:
> I would suspect that you are using non-standard rules. What's most
> concerning is the old p0f rules that are looking for Windows XP. That
> is dangerous and a bad thing to use as a rule (the OS of the sender).
Aside from BOTNET_W
On 05/01/2011 6:22 PM, Michael Monnerie wrote:
Dear list,
I received this info from a customer, whose order confirmation from the
londontheatredirect.com got marked as spam because of BOTNET* rules. Are
those rules too old, or is that server in a botnet? How to find out?
Or which rules scores sh
On 1/5/11 4:52 PM, Michael Monnerie wrote:
server88-208-245-26.live-
servers.net
botnet is NOT an stock SA rule
plus, look at the silly DYNAMIC RULE LOOKING rdns.
fix rdns.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
*
14 matches
Mail list logo
