Snort mailing list archives

Previous By Date Next
Previous By Thread Next

False positives for symcb.com

From: Robert Pritchard <rob () thecybersecurityexpert com>
Date: Wed, 15 Oct 2014 14:08:19 +0200
Hello

Two new rules seem to be generating false positives, and indeed I think
they are flagging something non malicious in the first place. The
signature IDs are 32174 and 32173, which are flagging DNS requests for
sr & s2.symcd.com as known malware domains.

As far as I can tell this is incorrect. This is a domain registered to
Symantec which appears to be used for OCSP.

Whois for symcd.com gives:

Registrant Name: Domain Manager
Registrant Organization: Symantec Corporation
Registrant Street: 350 Ellis Street
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US
Registrant Phone: +1.6505278000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains () symantec com
Registry Admin ID:
Admin Name: Domain Manager
Admin Organization: Symantec Corporation
Admin Street: 350 Ellis Street
Admin City: Mountain View
Admin State/Province: CA
Admin Postal Code: 94043
Admin Country: US
Admin Phone: +1.6505278000
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains () symantec com

Dig shows:

$ dig -t A sr.symcd.com

; <<>> DiG 9.8.3-P1 <<>> -t A sr.symcd.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29277
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;sr.symcd.com.            IN    A

;; ANSWER SECTION:
sr.symcd.com.        1022    IN    CNAME   
ocsp.ws.symantec.com.edgekey.net.
ocsp.ws.symantec.com.edgekey.net. 6101 IN CNAME    e8218.ce.akamaiedge.net.
e8218.ce.akamaiedge.net. 20    IN    A    23.43.75.27

;; Query time: 59 msec
;; SERVER: 46.32.224.29#53(46.32.224.29)
;; WHEN: Wed Oct 15 13:16:19 2014
;; MSG SIZE  rcvd: 126

When I look for connections to 23.43.75.27 I see nothing but OCSP
requests, to those domains and others.

Happy to be proved wrong (it's not unusual!), but I think these domains
have been flagged as malicious in error.

Rob

-- 

Rob Pritchard
www.thecybersecurityexpert.com
Mobile: +44 7968 828122
Office: +44 20 3290 4065
Skype: thecybersecurityexpert



------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: