Snort mailing list archives
OT: DNS sinkhole question
From: Jason Haar <Jason_Haar () trimble com>
Date: Thu, 05 Dec 2013 11:04:35 +1300
Hi there We've got a couple of hits on the "BLACKLIST Connection to malware sinkhole" rules as well as the "ET TROJAN Known Sinkhole Response Header". Basically snort is alerting when a website returns "X-Sinkhole: Malware sinkhole". The problem is the captured packet is coming from our proxy server, meaning I cannot track it back to a client IP. The destination was 166.78.144.80 and I'm hoping someone here knows what organization is responsible for that sinkhole? I have a suggestion for them that it would be majorly better if these Sinkholes returned something like: X-Sinkhole: Malware sinkhole X-Sinkhole-Webhost: cnc-hacked.domain.com where X-Sinkhole-Webhost is the hostname the client connected to. Then I'd be able to grep for cnc-hacked.domain.com in the proxy logs and thereby discover the affected client PC. In fact, ET rule sid:2017662 matches on "X-Sinkholed-Domain:" - which smells very similar to my "X-Sinkhole-Webhost:" idea, so it could be that some sinkholes do it - but not all? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- OT: DNS sinkhole question Jason Haar (Dec 04)
- Re: OT: DNS sinkhole question waldo kitty (Dec 04)