Snort mailing list archives
Re: 45907 FP
From: "Nicholas Mavis \(nmavis\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Tue, 26 May 2020 15:46:10 +0000
Hey James, Good to see you on the list again. Detecting flow direction can be difficult for DNS rules but I think this rule should be "$HOME_NET any -> any 53" to cover requests to both internal and external DNS servers originating from your network. I'm going to make a revision to this rule for you. Thanks, Nick Mavis Sr. Research Engineer, Talos ________________________________ From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of James Lay via Snort-sigs <snort-sigs () lists snort org> Sent: Sunday, May 24, 2020 7:06 AM To: Snort-Sigs <snort-sigs () lists snort org> Subject: [Snort-sigs] 45907 FP Seen about 5 of these starting on the 15th...this is an incoming request for aaa[.]stage[.]no[.]offense from 212.92.125.191: 05/24-10:02:05.674357 [**] [1:45907:1] MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 212.92.124.191:41900 -> x.x.x.x:53 James
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- 45907 FP James Lay via Snort-sigs (May 24)
- Re: 45907 FP wkitty42--- via Snort-sigs (May 24)
- Re: 45907 FP Nicholas Mavis (nmavis) via Snort-sigs (May 26)
- Re: 45907 FP James Lay via Snort-sigs (May 26)
- Re: 45907 FP Nicholas Mavis (nmavis) via Snort-sigs (May 26)
- Re: 45907 FP James Lay via Snort-sigs (May 26)
- Re: 45907 FP James Lay via Snort-sigs (May 26)