Snort mailing list archives
Long DNS name segment exclusion
From: Brian <crazibri () gmail com>
Date: Wed, 11 Nov 2015 18:39:15 -0600
I've customize the default rule so that I can exclude certain domain names, we have long DNS name resolutions. However this rule is not working because it still fires in the snort log. Rule: alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt"; sid:5000001; gid:3; rev:1; classtype:attempted-recon; metadata: engine shared, soid 3|30881, service dns, content:!"sophosxl"; content:!"spotify|03|com"; ) What's wrong here? Sophosxl TXT lookups keep getting flagged. Even with just the name only. Brian (Sent via Mobile)
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Long DNS name segment exclusion Brian (Nov 11)
- Re: Long DNS name segment exclusion Y M (Nov 12)
- Re: Long DNS name segment exclusion Joel Esler (jesler) (Nov 12)
- Re: Long DNS name segment exclusion Brian (Nov 12)
- Re: Long DNS name segment exclusion Joel Esler (jesler) (Nov 12)
- Re: Long DNS name segment exclusion Y M (Nov 12)