Snort mailing list archives
Rule 3:30881
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 20 Oct 2016 08:05:21 -0600
Rule: alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt"; sid:30881; gid:3; rev:4; classtype:attempted-recon; metadata: engine shared, soid 3|30881, service dns;) Hit [3:30881:3] MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt [Classification: Attempted Information Leak] [Priority: 2] {UDP} x.x.x.x:64712 -> x.x.x.x:53 dns request cat-server-lb-tus1gwynwapex01-368602537.us-east-1.elb.amazonaws.com I'm hoping you folks can look at this instead of myself just blindly event_filtering this rule. Thank you. James ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule 3:30881 James Lay (Oct 20)
- Re: Rule 3:30881 Jeremy Hoel (Oct 20)
- Re: Rule 3:30881 James Lay (Oct 21)
- Re: Rule 3:30881 Jeremy Hoel (Oct 20)