Snort mailing list archives
BOTNET-CNC Possible host infection - excessive DNS queries for .eu
From: Yew Chuan Ong <yewchuan88 () gmail com>
Date: Sun, 11 Mar 2012 20:00:09 +0800
Hi, alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BOTNET-CNC Possible host infection - excessive DNS queries for .eu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|eu|00|"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 10; classtype:trojan-activity; sid:21544; rev:1;) This is the new sig posted on VRT blog recently which aimed to find out malware within the network. I am wondering why we need to specific on the keyword ".eu". Can we tracked the related traffic by using only the threshold? Also, are we aiming on any specific malware besides Murofet and Kazy? I try to google around but can't really get it. Thanks!
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- BOTNET-CNC Possible host infection - excessive DNS queries for .eu Yew Chuan Ong (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Alex Kirk (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Community Signatures (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Alex Kirk (Mar 12)