Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu

[Joel Esler <jesler () sourcefire com>]

On Mon, Mar 12, 2012 at 11:21 AM, Community Signatures <lists () packetmail net
> wrote:

> On 03/12/12 10:14, Martin Holste wrote:
> > The sig, as written, will false like crazy on any medium or large
> > sized network because it does not take into account DNS servers or
> > SMTP servers (or spam gateways) which do a lot of DNS lookups.
>
> I dunno, "detection_filter:track by_src, count 100, seconds 10;" -- even
> in this high volume networks I would tend to agree that 10
> queries/second is suspicious when 100 after 10 seconds is reached.
We've had one report of a false positive on a rule similar to this as a
result of Chrome doing pre-fetching on certain sites (.ru, not .eu) so I am
sure it could happen.  If there are 100 external links NOT with the same
domain name on a single page.

This is an indicator of compromise.  In the new rule category system:
http://blog.snort.org/2012/03/rule-category-reorganization.html

This will go in INDICATOR-COMPROMISE


-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!