Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: External DNS 127.0.0.1 response

From: "lists () packetmail net" <lists () packetmail net>
Date: Fri, 19 Apr 2013 13:23:55 -0500
On 04/19/2013 01:12 PM, James Lay wrote:

Bot suspension technique:

alert udp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"INDICATOR-COMPROMISE External DNS 127.0.0.1 response, possible 
bot suspension"; flow:from_server; content:"127.0.0.1"; fast_pattern:only; metadata:impact_flag red, service dns; 
classtype:trojan-activity; sid:10000048; rev:1;)


Hey bro, won't this false positive on some RBL/SBL lookups for example, those
that return 127.0.0.1[0-9]?$ like SORBS and SpamHaus?

http://www.spamhaus.org/faq/section/DNSBL%20Usage#200
http://www.sorbs.net/using.shtml
etc

Cheers,
Nathan


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: