Snort mailing list archives
Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 12 Mar 2012 12:55:58 -0400
Okay, thanks. We'll keep that in mind. For now we'll let it go and see if we get any FP reports from it and what we can do to address those. J On Mar 12, 2012, at 12:46 PM, Martin Holste wrote:
Not this one, but many like it based on excessive DNS lookups have caused problems. I agree that .eu is less common. My point was that adding !$SMTP_SERVERS is generally a good thing to do for DNS-based sigs. On Mon, Mar 12, 2012 at 10:59 AM, Joel Esler <jesler () sourcefire com> wrote:Are you running this rule and seeing false positives? On Mar 12, 2012, at 11:46 AM, Martin Holste wrote:My point was that you should probably use at least !$SMTP_SERVERS for the srcip. I can definitely understand not wanting to also add !$DNS_SERVERS since a compromised client could (will?) be using the org's DNS servers to do the lookups. In any case, it's clear that the rule is more for demonstrative purposes than anything, but that's why I wanted to raise the point regarding some of the pitfalls of detection_filter based rules for any new rule-writers out there. On Mon, Mar 12, 2012 at 10:27 AM, Joel Esler <jesler () sourcefire com> wrote:On Mon, Mar 12, 2012 at 11:21 AM, Community Signatures <lists () packetmail net> wrote:On 03/12/12 10:14, Martin Holste wrote:The sig, as written, will false like crazy on any medium or large sized network because it does not take into account DNS servers or SMTP servers (or spam gateways) which do a lot of DNS lookups.I dunno, "detection_filter:track by_src, count 100, seconds 10;" -- even in this high volume networks I would tend to agree that 10 queries/second is suspicious when 100 after 10 seconds is reached.We've had one report of a false positive on a rule similar to this as a result of Chrome doing pre-fetching on certain sites (.ru, not .eu) so I am sure it could happen. If there are 100 external links NOT with the same domain name on a single page. This is an indicator of compromise. In the new rule category system: http://blog.snort.org/2012/03/rule-category-reorganization.html This will go in INDICATOR-COMPROMISE -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- BOTNET-CNC Possible host infection - excessive DNS queries for .eu Yew Chuan Ong (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Alex Kirk (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Community Signatures (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Joel Esler (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Martin Holste (Mar 12)
- Re: BOTNET-CNC Possible host infection - excessive DNS queries for .eu Alex Kirk (Mar 12)