Snort mailing list archives
Re: Long DNS name segment exclusion
From: Brian <crazibri () gmail com>
Date: Thu, 12 Nov 2015 16:44:58 -0600
You can't suppress the rule using DNS names that it's triggering on. Brian (Sent via Mobile) On Nov 12, 2015, at 4:37 PM, Joel Esler (jesler) <jesler () cisco com> wrote: This is why there are suppressions. -- Joel Esler Manager, Talos Sent from my iPhone On Nov 12, 2015, at 4:03 PM, Y M <snort () outlook com> wrote:
The rule you are attempting to modify is a shared object (so) rule. Such rules are written in a code form (probably C) and then compiled into a shared object which is then loaded when Snort runs. Basically you are modifying the rule stub rather than the rule itself. Sent from Mobile _____________________________ From: Brian <crazibri () gmail com> Sent: Thursday, November 12, 2015 3:41 AM Subject: [Snort-sigs] Long DNS name segment exclusion To: <snort-sigs () lists sourceforge net> I've customize the default rule so that I can exclude certain domain names, we have long DNS name resolutions. However this rule is not working because it still fires in the snort log. Rule: alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt"; sid:5000001; gid:3; rev:1; classtype:attempted-recon; metadata: engine shared, soid 3|30881, service dns, content:!"sophosxl"; content:!"spotify|03|com"; ) What's wrong here? Sophosxl TXT lookups keep getting flagged. Even with just the name only. Brian (Sent via Mobile) ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Long DNS name segment exclusion Brian (Nov 11)
- Re: Long DNS name segment exclusion Y M (Nov 12)
- Re: Long DNS name segment exclusion Joel Esler (jesler) (Nov 12)
- Re: Long DNS name segment exclusion Brian (Nov 12)
- Re: Long DNS name segment exclusion Joel Esler (jesler) (Nov 12)
- Re: Long DNS name segment exclusion Y M (Nov 12)