Snort mailing list archives

Previous By Date Next
Previous By Thread Next

BOTNET-CNC Possible host infection - excessive DNS queries for .eu

From: Yew Chuan Ong <yewchuan88 () gmail com>
Date: Sun, 11 Mar 2012 20:00:09 +0800
Hi,

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BOTNET-CNC Possible host
infection - excessive DNS queries for .eu"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|02|eu|00|"; fast_pattern:only;
detection_filter:track by_src, count 100, seconds 10;
classtype:trojan-activity; sid:21544; rev:1;)

This is the new sig posted on VRT blog recently which aimed to find out
malware within the network. I am wondering why we need to specific on the
keyword ".eu". Can we tracked the related traffic by using only the
threshold?

Also, are we aiming on any specific malware besides Murofet and Kazy? I try
to google around but can't really get it. Thanks!

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: