Hi Folks,
Just want to report an issue with the following rule:
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:4; metadata:created_at 2010_10_13, confidence Medium, signature_severity Major, updated_at 2019_08_28;)
With the default snort configurations where SMTP_SERVERS = DNS_SERVERS = HOMENET = any, snort failed to load the above rule due to the source IP field being !any which is invalid. Should this rule being commented out by default ?