Re: External DNS 127.0.0.1 response

[James Lay <jlay () slave-tothe-box net>]

Yea so this rule is a semi bust due to exactly where you hit it Nathan…RBL and SBL lookups will FP on this.  That being 
said however this rule might be helpful in organizations that don't host their own mail server:

alert udp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"INDICATOR-COMPROMISE External DNS 127.0.0.1 response, possible bot 
suspension"; content:"|7F 00 00 01|"; fast_pattern:only; classtype:trojan-activity; sid:10000048;rev:1;)



And this one below could be useful for internal localhost dns response…I'm thinking compromised workstation sends 
request to say your domain controller and the domain controller sends this back

alert udp $DNS_SERVERS 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE DNS 127.0.0.1 response, possible bot suspension"; 
flow:from_server; content:"|7F 00 00 01|"; fast_pattern:only; metadata:impact_flag red, service dns; 
classtype:trojan-activi
ty; sid:10000049; rev:2;)

Maybe useful, maybe not…and I love the flow I put in on the original one….good grief 8-|

James


On Apr 19, 2013, at 12:31 PM, James Lay <jlay () slave-tothe-box net> wrote:

> On Apr 19, 2013, at 12:23 PM, "lists () packetmail net" <lists () packetmail net> wrote:
>
> > On 04/19/2013 01:12 PM, James Lay wrote:
> > > Bot suspension technique:
> > >
> > > alert udp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"INDICATOR-COMPROMISE External DNS 127.0.0.1 response, possible 
> > > bot suspension"; flow:from_server; content:"127.0.0.1"; fast_pattern:only; metadata:impact_flag red, service dns; 
> > > classtype:trojan-activity; sid:10000048; rev:1;)
> >
> > Hey bro, won't this false positive on some RBL/SBL lookups for example, those
> > that return 127.0.0.1[0-9]?$ like SORBS and SpamHaus?
> >
> > http://www.spamhaus.org/faq/section/DNSBL%20Usage#200
> > http://www.sorbs.net/using.shtml
> > etc
> >
> > Cheers,
> > Nathan
>
>
> LoL…totally didn't think of that..running now and we'll see if I get FP's :)
>
> James
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!