Snort mailing list archives
Re: Help with Snort Processor
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Sat, 28 Oct 2017 14:18:02 +0000
Hello, Can you send a sample of the traffic in pcap form? Thanks. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of Paul O'Brien via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> Reply-To: Paul O'Brien <pdobrien3 () gmail com<mailto:pdobrien3 () gmail com>> Date: Friday, October 27, 2017 at 9:40 AM To: "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> Cc: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>> Subject: Re: [Snort-users] Help with Snort Processor Aanval Alert (PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected) The following alert was generated by the Aanval Intrusion Detection Console. --- Timestamp: 10-27-2017 11:53:06 Risk Level: 1 Source IP: 24.25.5.61 : 53 Destination IP: 192.168.1.266 : 55886 Sensor: sensor01 Detected Event: PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected (31738) Detected Event Category: trojan-activity (21) Aanval ID: 190559 Action ID: 1 --- Payload: 5072818300010000000100000A6D73672D7464692D6D640870756C73656D7373036E65740000010001C0200006000100000384003D01610C67746C642D73657276657273C020056E73746C640C766572697369676E2D67727303636F6D0059F31002000007080000038400093A8000015180 --- This message was generated from the Aanval Intrusion Detection and Correlation Console. http://www.aanval.com/ --- Thanks, Dan "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6 Sent from my iPhone On Oct 27, 2017, at 9:24 AM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: That would be a good start. -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Oct 27, 2017, at 7:50 AM, Paul O'Brien <pdobrien3 () gmail com<mailto:pdobrien3 () gmail com>> wrote: Thank you for the response Joel. I apologize for not being clear. I understand it is doing exactly what it is supposed to do but I am getting multiple text notifications a day whenever someone opens chrome. I am very new to this and more than happy to get you an example of the alert, just not sure what you are looking for. Just a copy/paste or something more involved? Thanks, Dan "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6 Sent from my iPhone On Oct 26, 2017, at 11:25 PM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: It’s not a preprocessor, this is a shared object rule, but it is doing exactly what it is supposed to do. Looking for random looking hostnames. Do you have an example of an alert? -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Oct 25, 2017, at 8:06 PM, Dan O'Brien via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> wrote: Good evening all, Looking for some suggestions to quiet (PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected). It goes off every time someone opens Chrome due to Chrome DNS prefetching. I disabled prefetching in Chrome but apparently it still does some things upon opening that cant be controlled in the settings. Browser Startup Chromium automatically remembers the first 10 domains that were resolved the last time the Chromium was started, and automatically starts to resolve these names very early in the startup process. As a result, the domains for a user's home page(s), along with any embedded domains (or anything the user "always" visits just after startup), are generally resolved before much of Chromium has ever loaded. When Chromium finally starts to try to load and render those pages, there is typically no DNS induced latency, and the application effectively "starts up" (becoming usable) faster. Average startup savings are 200ms or more, with common acceleration over 1 second. Looking for ideas beyond disabling the rule. Thanks in advance. Thanks, Dan "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6 Sent from my iPad _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Help with Snort Processor Dan O'Brien via Snort-users (Oct 25)
- Re: Help with Snort Processor Joel Esler (jesler) via Snort-users (Oct 26)
- Re: Help with Snort Processor Paul O'Brien via Snort-users (Oct 27)
- Re: Help with Snort Processor Joel Esler (jesler) via Snort-users (Oct 27)
- Re: Help with Snort Processor Paul O'Brien via Snort-users (Oct 27)
- Re: Help with Snort Processor Al Lewis (allewi) via Snort-users (Oct 28)
- Re: Help with Snort Processor Paul O'Brien via Snort-users (Oct 27)
- Re: Help with Snort Processor Joel Esler (jesler) via Snort-users (Oct 26)