Snort mailing list archives
Re: DNS Reverse Shell sig
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 04 Feb 2015 13:59:14 -0700
On 2015-02-04 01:29 PM, rmkml wrote:
Thx James for sharing, Length is always the same, add 0x3A (dns length) like this ? Add "-" for better performance ? modify pcre to use relative?
alert udp $HOME_NET any -> any 53 (msg:"Possible Python Reverse DNS Shell"; content:"|01 00 00 01 00 00 00 00 00 00 3A|"; depth:11; offset:2; fast_pattern; content:"-"; within:1; distance:1; pcre:"/^[a-z0-9]{56}/Ri"; reference:url,lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html; classtype:bad-unknown; sid:10000150; rev:2;)
Best Regards @Rmkml On Wed, 4 Feb 2015, James Lay wrote:In my testing of http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html I noticed that during the reverse shell session a semi-constant showed up...namely a character followed by a dash, followed by 56 other characters. Pretty sure this could be changed in the python code, but this will catch this in it's current form. It will not fire on each and every dns query, but will most likely fire at least during the session. alert udp $HOME_NET any -> any 53 (msg:"Possible Python Reverse DNS Shell"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; fast_pattern; pcre:"/[a-z]-[a-z0-9]{56}/i"; reference:url,lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html; classtype:bad-unknown; sid:10000150; rev:1;) This WILL most likely FP if you're looking for a domain that matches the above style, but I couldn't find any such domain in my logs. Enjoy. James
That's a good idea..would that still catch the initial "[a-zA-Z]-" at the start though? Or just the "-[a-z0-9]{56}"...thanks RM! James ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- DNS Reverse Shell sig James Lay (Feb 04)
- Re: DNS Reverse Shell sig rmkml (Feb 04)
- Re: DNS Reverse Shell sig James Lay (Feb 04)
- <Possible follow-ups>
- Re: DNS Reverse Shell sig Dave Killion (Feb 04)
- Re: DNS Reverse Shell sig James Lay (Feb 04)
- Re: DNS Reverse Shell sig rmkml (Feb 04)