Re: Rule 3:30881

[James Lay <jlay () slave-tothe-box net>]

Thanks Jeremy.  Yea this one is odd...I may have to craft a custom 
exclude filter for maybe "cat-server-lb-tus1gwynwapex"...I don't want to 
just event filter the entire rule since ya..it's catching exfiltration 
via UDP.

James

On 2016-10-20 17:13, Jeremy Hoel wrote:
> So for this type of rule, for the clients I have been working with, I
> tell them that there isn't a great way to filter this.  It's looking
> for everly long DNS queries, which rack space providers offer and
> while it can be assumed that someone doing malware things wouldn't use
> computername.ip.info.amazon.aws  (or some other long dns exfiltration
> scheme).. it should be able to exclude CDNs and some AWS domains..
> just knowing that you might be opening it up to other things.
>
> I have been thinking about how to do other things in order to prevent
> FPs, but I couldn't come up with anything that could also be used by
> the bad guys.  As people use more cloud based services, this is going
> to become harder to use.  A better option might be to just capture DNS
> queries and quickly query that
>
> On Thu, Oct 20, 2016 at 7:05 AM, James Lay <jlay () slave-tothe-box net>
> wrote:
>
> > Rule:
> > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns
> > request with long host name segment - possible data exfiltration
> > attempt"; sid:30881; gid:3; rev:4; classtype:attempted-recon;
> > metadata:
> > engine shared, soid 3|30881, service dns;)
> >
> > Hit
> > [3:30881:3] MALWARE-OTHER dns request with long host name segment -
> > possible data exfiltration attempt [Classification: Attempted
> > Information Leak] [Priority: 2] {UDP} x.x.x.x:64712 -> x.x.x.x:53
> >
> > dns request
> > cat-server-lb-tus1gwynwapex01-368602537.us-east-1.elb.amazonaws.com
> > [1]
> >
> > I'm hoping you folks can look at this instead of myself just blindly
> > event_filtering this rule.  Thank you.
> >
> > James
> ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs [2]
> > http://www.snort.org
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> Links:
> ------
> [1] 
> http://cat-server-lb-tus1gwynwapex01-368602537.us-east-1.elb.amazonaws.com
> [2] https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!