Snort mailing list archives
Rule 3:30881
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 20 Oct 2016 08:05:21 -0600
Rule:
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns
request with long host name segment - possible data exfiltration
attempt"; sid:30881; gid:3; rev:4; classtype:attempted-recon; metadata:
engine shared, soid 3|30881, service dns;)
Hit
[3:30881:3] MALWARE-OTHER dns request with long host name segment -
possible data exfiltration attempt [Classification: Attempted
Information Leak] [Priority: 2] {UDP} x.x.x.x:64712 -> x.x.x.x:53
dns request
cat-server-lb-tus1gwynwapex01-368602537.us-east-1.elb.amazonaws.com
I'm hoping you folks can look at this instead of myself just blindly
event_filtering this rule. Thank you.
James
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule 3:30881 James Lay (Oct 20)
- Re: Rule 3:30881 Jeremy Hoel (Oct 20)
- Re: Rule 3:30881 James Lay (Oct 21)
- Re: Rule 3:30881 Jeremy Hoel (Oct 20)