Snort mailing list archives

Long DNS name segment exclusion

From: Brian <crazibri () gmail com>
Date: Wed, 11 Nov 2015 18:39:15 -0600

I've customize the default rule so that I can exclude certain domain names, we have long DNS name resolutions. However 
this rule is not working because it still fires in the snort log. 

Rule: 

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns request with long host name segment - possible data 
exfiltration attempt"; sid:5000001; gid:3; rev:1; classtype:attempted-recon; metadata: engine shared, soid 3|30881, 
service dns, content:!"sophosxl"; content:!"spotify|03|com"; )

What's wrong here?

Sophosxl TXT lookups keep getting flagged. Even with just the name only. 

Brian 
(Sent via Mobile)

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Long DNS name segment exclusion Brian (Nov 11)
- Re: Long DNS name segment exclusion Y M (Nov 12)
  - Re: Long DNS name segment exclusion Joel Esler (jesler) (Nov 12)
    - Re: Long DNS name segment exclusion Brian (Nov 12)