Snort mailing list archives
Re: Rule 3:30881
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 21 Oct 2016 11:41:38 -0600
Thanks Jeremy. Yea this one is odd...I may have to craft a custom exclude filter for maybe "cat-server-lb-tus1gwynwapex"...I don't want to just event filter the entire rule since ya..it's catching exfiltration via UDP. James On 2016-10-20 17:13, Jeremy Hoel wrote:
So for this type of rule, for the clients I have been working with, I tell them that there isn't a great way to filter this. It's looking for everly long DNS queries, which rack space providers offer and while it can be assumed that someone doing malware things wouldn't use computername.ip.info.amazon.aws (or some other long dns exfiltration scheme).. it should be able to exclude CDNs and some AWS domains.. just knowing that you might be opening it up to other things. I have been thinking about how to do other things in order to prevent FPs, but I couldn't come up with anything that could also be used by the bad guys. As people use more cloud based services, this is going to become harder to use. A better option might be to just capture DNS queries and quickly query that On Thu, Oct 20, 2016 at 7:05 AM, James Lay <jlay () slave-tothe-box net> wrote:Rule: alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt"; sid:30881; gid:3; rev:4; classtype:attempted-recon; metadata: engine shared, soid 3|30881, service dns;) Hit [3:30881:3] MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt [Classification: Attempted Information Leak] [Priority: 2] {UDP} x.x.x.x:64712 -> x.x.x.x:53 dns request cat-server-lb-tus1gwynwapex01-368602537.us-east-1.elb.amazonaws.com [1] I'm hoping you folks can look at this instead of myself just blindly event_filtering this rule. Thank you. James------------------------------------------------------------------------------Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs [2] http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!Links: ------ [1] http://cat-server-lb-tus1gwynwapex01-368602537.us-east-1.elb.amazonaws.com [2] https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule 3:30881 James Lay (Oct 20)
- Re: Rule 3:30881 Jeremy Hoel (Oct 20)
- Re: Rule 3:30881 James Lay (Oct 21)
- Re: Rule 3:30881 Jeremy Hoel (Oct 20)