Snort mailing list archives
Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 12 Mar 2012 11:18:20 -0400
Which is why more specific signatures are written for this malware, and this rule is disabled by default and in no policies. On Mon, Mar 12, 2012 at 11:14 AM, Martin Holste <mcholste () gmail com> wrote:
The sig, as written, will false like crazy on any medium or large sized network because it does not take into account DNS servers or SMTP servers (or spam gateways) which do a lot of DNS lookups. On Mon, Mar 12, 2012 at 9:41 AM, Alex Kirk <akirk () sourcefire com> wrote:First, you need the ".eu" bit because you need to have a content match in the rule, else performance will suffer massively. Second, and more important, the behavior we've seen centers around this particular TLD(and acouple of others for which we have rules); we're targeting there to keep false positives down. As far as this picking up other malware - chances are high it will. Theruleof thumb is to take a look at the domain names in the alerts, anddeterminewhether they're legitimate or not (which is usually obvious because malicious ones are randomized), and then track back to the boxesgeneratingthe queries for a thorough scan/investigation. On Sun, Mar 11, 2012 at 8:00 AM, Yew Chuan Ong <yewchuan88 () gmail com>wrote:Hi, alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BOTNET-CNC Possiblehostinfection - excessive DNS queries for .eu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|eu|00|"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 10; classtype:trojan-activity; sid:21544; rev:1;) This is the new sig posted on VRT blog recently which aimed to find out malware within the network. I am wondering why we need to specific onthekeyword ".eu". Can we tracked the related traffic by using only the threshold? Also, are we aiming on any specific malware besides Murofet and Kazy? I try to google around but can't really get it. Thanks!------------------------------------------------------------------------------Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com------------------------------------------------------------------------------Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- BOTNET-CNC Possible host infection - excessive DNS queries for .eu Yew Chuan Ong (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Alex Kirk (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Community Signatures (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Alex Kirk (Mar 12)