Snort mailing list archives
Re: Long DNS name segment exclusion
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 12 Nov 2015 22:37:15 +0000
This is why there are suppressions. -- Joel Esler Manager, Talos Sent from my iPhone On Nov 12, 2015, at 4:03 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: The rule you are attempting to modify is a shared object (so) rule. Such rules are written in a code form (probably C) and then compiled into a shared object which is then loaded when Snort runs. Basically you are modifying the rule stub rather than the rule itself. Sent from Mobile _____________________________ From: Brian <crazibri () gmail com<mailto:crazibri () gmail com>> Sent: Thursday, November 12, 2015 3:41 AM Subject: [Snort-sigs] Long DNS name segment exclusion To: <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>> I've customize the default rule so that I can exclude certain domain names, we have long DNS name resolutions. However this rule is not working because it still fires in the snort log. Rule: alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt"; sid:5000001<tel:5000001>; gid:3; rev:1; classtype:attempted-recon; metadata: engine shared, soid 3|30881, service dns, content:!"sophosxl"; content:!"spotify|03|com"; ) What's wrong here? Sophosxl TXT lookups keep getting flagged. Even with just the name only. Brian (Sent via Mobile) ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Long DNS name segment exclusion Brian (Nov 11)
- Re: Long DNS name segment exclusion Y M (Nov 12)
- Re: Long DNS name segment exclusion Joel Esler (jesler) (Nov 12)
- Re: Long DNS name segment exclusion Brian (Nov 12)
- Re: Long DNS name segment exclusion Joel Esler (jesler) (Nov 12)
- Re: Long DNS name segment exclusion Y M (Nov 12)