Snort mailing list archives
False positives for symcb.com
From: Robert Pritchard <rob () thecybersecurityexpert com>
Date: Wed, 15 Oct 2014 14:08:19 +0200
Hello Two new rules seem to be generating false positives, and indeed I think they are flagging something non malicious in the first place. The signature IDs are 32174 and 32173, which are flagging DNS requests for sr & s2.symcd.com as known malware domains. As far as I can tell this is incorrect. This is a domain registered to Symantec which appears to be used for OCSP. Whois for symcd.com gives: Registrant Name: Domain Manager Registrant Organization: Symantec Corporation Registrant Street: 350 Ellis Street Registrant City: Mountain View Registrant State/Province: CA Registrant Postal Code: 94043 Registrant Country: US Registrant Phone: +1.6505278000 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: domains () symantec com Registry Admin ID: Admin Name: Domain Manager Admin Organization: Symantec Corporation Admin Street: 350 Ellis Street Admin City: Mountain View Admin State/Province: CA Admin Postal Code: 94043 Admin Country: US Admin Phone: +1.6505278000 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: domains () symantec com Dig shows: $ dig -t A sr.symcd.com ; <<>> DiG 9.8.3-P1 <<>> -t A sr.symcd.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29277 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;sr.symcd.com. IN A ;; ANSWER SECTION: sr.symcd.com. 1022 IN CNAME ocsp.ws.symantec.com.edgekey.net. ocsp.ws.symantec.com.edgekey.net. 6101 IN CNAME e8218.ce.akamaiedge.net. e8218.ce.akamaiedge.net. 20 IN A 23.43.75.27 ;; Query time: 59 msec ;; SERVER: 46.32.224.29#53(46.32.224.29) ;; WHEN: Wed Oct 15 13:16:19 2014 ;; MSG SIZE rcvd: 126 When I look for connections to 23.43.75.27 I see nothing but OCSP requests, to those domains and others. Happy to be proved wrong (it's not unusual!), but I think these domains have been flagged as malicious in error. Rob -- Rob Pritchard www.thecybersecurityexpert.com Mobile: +44 7968 828122 Office: +44 20 3290 4065 Skype: thecybersecurityexpert ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- False positives for symcb.com Robert Pritchard (Oct 15)