RW wrote: > On Fri, 29 Oct 2010 22:02:56 -0400 > dar...@chaosreigns.com wrote: > > >> I see there's a RDNS_NONE rule for when the sending IP address has no >> DNS PTR (reverse DNS) record. But no rule for when that PTR record >> doesn't have a matching A (forward DNS) record that matches the >> sending IP? >> > > There's one in the optional Botnet plugin, there are a couple of > problems with it though. Its rdns lookups aren't very efficient, and > it doesn't work for IPv6. > > Ah, Paranoid mode - most useful once upon a time. I can see cases where this might still be useful; and it's certainly better to score than to reject outright. That said, as others on this list suggest, this probably will never make it into the native SA development effort.
RW is correct. The Botnet.pm plugin supports this for IP4 addresses via the rule "BOTNET_BADDNS": describe BOTNET_BADDNS Relay doesn't have full circle DNS header BOTNET_BADDNS eval:botnet_baddns() score BOTNET_BADDNS 0.0 Regards, Jared Hall