Snort mailing list archives
Re: External DNS 127.0.0.1 response
From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 20 Apr 2013 08:43:43 -0600
Yea so this rule is a semi bust due to exactly where you hit it Nathan…RBL and SBL lookups will FP on this. That being said however this rule might be helpful in organizations that don't host their own mail server: alert udp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"INDICATOR-COMPROMISE External DNS 127.0.0.1 response, possible bot suspension"; content:"|7F 00 00 01|"; fast_pattern:only; classtype:trojan-activity; sid:10000048;rev:1;) And this one below could be useful for internal localhost dns response…I'm thinking compromised workstation sends request to say your domain controller and the domain controller sends this back alert udp $DNS_SERVERS 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE DNS 127.0.0.1 response, possible bot suspension"; flow:from_server; content:"|7F 00 00 01|"; fast_pattern:only; metadata:impact_flag red, service dns; classtype:trojan-activi ty; sid:10000049; rev:2;) Maybe useful, maybe not…and I love the flow I put in on the original one….good grief 8-| James On Apr 19, 2013, at 12:31 PM, James Lay <jlay () slave-tothe-box net> wrote:
On Apr 19, 2013, at 12:23 PM, "lists () packetmail net" <lists () packetmail net> wrote:On 04/19/2013 01:12 PM, James Lay wrote:Bot suspension technique: alert udp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"INDICATOR-COMPROMISE External DNS 127.0.0.1 response, possible bot suspension"; flow:from_server; content:"127.0.0.1"; fast_pattern:only; metadata:impact_flag red, service dns; classtype:trojan-activity; sid:10000048; rev:1;)Hey bro, won't this false positive on some RBL/SBL lookups for example, those that return 127.0.0.1[0-9]?$ like SORBS and SpamHaus? http://www.spamhaus.org/faq/section/DNSBL%20Usage#200 http://www.sorbs.net/using.shtml etc Cheers, NathanLoL…totally didn't think of that..running now and we'll see if I get FP's :) James ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- External DNS 127.0.0.1 response James Lay (Apr 19)
- Re: External DNS 127.0.0.1 response lists () packetmail net (Apr 19)
- Re: External DNS 127.0.0.1 response James Lay (Apr 19)
- Re: External DNS 127.0.0.1 response James Lay (Apr 20)
- Re: External DNS 127.0.0.1 response lists () packetmail net (Apr 21)
- Re: External DNS 127.0.0.1 response Joel Esler (Apr 21)
- Re: External DNS 127.0.0.1 response James Lay (Apr 21)
- Re: External DNS 127.0.0.1 response James Lay (Apr 19)
- Re: External DNS 127.0.0.1 response lists () packetmail net (Apr 19)