Snort mailing list archives
Re: External DNS 127.0.0.1 response
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 19 Apr 2013 12:31:52 -0600
On Apr 19, 2013, at 12:23 PM, "lists () packetmail net" <lists () packetmail net> wrote:
On 04/19/2013 01:12 PM, James Lay wrote:Bot suspension technique: alert udp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"INDICATOR-COMPROMISE External DNS 127.0.0.1 response, possible bot suspension"; flow:from_server; content:"127.0.0.1"; fast_pattern:only; metadata:impact_flag red, service dns; classtype:trojan-activity; sid:10000048; rev:1;)Hey bro, won't this false positive on some RBL/SBL lookups for example, those that return 127.0.0.1[0-9]?$ like SORBS and SpamHaus? http://www.spamhaus.org/faq/section/DNSBL%20Usage#200 http://www.sorbs.net/using.shtml etc Cheers, Nathan
LoL…totally didn't think of that..running now and we'll see if I get FP's :) James ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- External DNS 127.0.0.1 response James Lay (Apr 19)
- Re: External DNS 127.0.0.1 response lists () packetmail net (Apr 19)
- Re: External DNS 127.0.0.1 response James Lay (Apr 19)
- Re: External DNS 127.0.0.1 response James Lay (Apr 20)
- Re: External DNS 127.0.0.1 response lists () packetmail net (Apr 21)
- Re: External DNS 127.0.0.1 response Joel Esler (Apr 21)
- Re: External DNS 127.0.0.1 response James Lay (Apr 21)
- Re: External DNS 127.0.0.1 response James Lay (Apr 19)
- Re: External DNS 127.0.0.1 response lists () packetmail net (Apr 19)