Snort mailing list archives
Re: Suspicious DNS rule
From: James Lay via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 16 Aug 2018 08:50:56 -0600
On 2018-07-31 11:16, James Lay wrote:
So ok....I got three samples, two agent telsa, one formbook, all exhibit the following: list of samples on any_run: https://app.any.run/tasks/33d3e229-fba7-476b-8ec9-7464eacb1ca3 https://app.any.run/tasks/6d9371e7-249b-47d1-bbbb-cf66dd34e30b https://app.any.run/tasks/065b87cb-a6d3-4dc7-a06f-a893281b4263 these request show up funky: my only guess is a specific packer is calling out as the three samples are all .NET. Anyway sig below: alert udp $HOME_NET any -> any 53 (msg:"Suspicious DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00 02 ca b1 03 6f 72 67 00|"; fast_pattern:only; classtype:trojan-activity; sid:XXXXXX; rev:1; metadata:created_at 2018_07_31;) if someone has any more insight I'd love to know what this really is. Thank you. James
And circling back on this, this turns out to be this in punycode: xn--5na[.]org Still fails to resolve, but getting closer to finding out the cause. James _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Suspicious DNS rule James Lay via Snort-sigs (Jul 31)
- Re: Suspicious DNS rule Marcos Rodriguez (Aug 01)
- Re: [Emerging-Sigs] Suspicious DNS rule Y M via Snort-sigs (Aug 01)
- Re: [Emerging-Sigs] Suspicious DNS rule James Lay via Snort-sigs (Aug 02)
- Re: Suspicious DNS rule James Lay via Snort-sigs (Aug 16)