OT: DNS sinkhole question

[Jason Haar <Jason_Haar () trimble com>]

Hi there

We've got a couple of hits on the "BLACKLIST Connection to malware sinkhole" rules 
as well as the "ET TROJAN Known Sinkhole Response Header". Basically snort is alerting
when a website returns "X-Sinkhole: Malware sinkhole".

The problem is the captured packet is coming from our proxy server,
meaning I cannot track it back to a client IP. The destination was
166.78.144.80 and I'm hoping someone here knows what organization is responsible for 
that sinkhole?

I have a suggestion for them that it would be majorly better if these Sinkholes
returned something like:

X-Sinkhole: Malware sinkhole
X-Sinkhole-Webhost: cnc-hacked.domain.com

where X-Sinkhole-Webhost is the hostname the client connected to. Then
I'd be able to grep for cnc-hacked.domain.com in the proxy logs and
thereby discover the affected client PC.

In fact, ET rule sid:2017662 matches on "X-Sinkholed-Domain:" - which smells very similar to
my "X-Sinkhole-Webhost:" idea, so it could be that some sinkholes do it - but not all?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!