Snort mailing list archives
Re: Help with Snort Processor
From: Paul O'Brien via Snort-users <snort-users () lists snort org>
Date: Fri, 27 Oct 2017 07:50:10 -0400
Thank you for the response Joel. I apologize for not being clear. I understand it is doing exactly what it is supposed to do but I am getting multiple text notifications a day whenever someone opens chrome. I am very new to this and more than happy to get you an example of the alert, just not sure what you are looking for. Just a copy/paste or something more involved? Thanks, Dan 770-624-1010 pdobrien3 () gmail com "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6 Sent from my iPhone
On Oct 26, 2017, at 11:25 PM, Joel Esler (jesler) <jesler () cisco com> wrote: It’s not a preprocessor, this is a shared object rule, but it is doing exactly what it is supposed to do. Looking for random looking hostnames. Do you have an example of an alert? -- Joel Esler | Talos: Manager | jesler () cisco comOn Oct 25, 2017, at 8:06 PM, Dan O'Brien via Snort-users <snort-users () lists snort org> wrote: Good evening all, Looking for some suggestions to quiet (PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected). It goes off every time someone opens Chrome due to Chrome DNS prefetching. I disabled prefetching in Chrome but apparently it still does some things upon opening that cant be controlled in the settings. Browser Startup Chromium automatically remembers the first 10 domains that were resolved the last time the Chromium was started, and automatically starts to resolve these names very early in the startup process. As a result, the domains for a user's home page(s), along with any embedded domains (or anything the user "always" visits just after startup), are generally resolved before much of Chromium has ever loaded. When Chromium finally starts to try to load and render those pages, there is typically no DNS induced latency, and the application effectively "starts up" (becoming usable) faster. Average startup savings are 200ms or more, with common acceleration over 1 second. Looking for ideas beyond disabling the rule. Thanks in advance. Thanks, Dan (770) 624-1010 pdobrien3 () gmail com "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6 Sent from my iPad _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Help with Snort Processor Dan O'Brien via Snort-users (Oct 25)
- Re: Help with Snort Processor Joel Esler (jesler) via Snort-users (Oct 26)
- Re: Help with Snort Processor Paul O'Brien via Snort-users (Oct 27)
- Re: Help with Snort Processor Joel Esler (jesler) via Snort-users (Oct 27)
- Re: Help with Snort Processor Paul O'Brien via Snort-users (Oct 27)
- Re: Help with Snort Processor Al Lewis (allewi) via Snort-users (Oct 28)
- Re: Help with Snort Processor Paul O'Brien via Snort-users (Oct 27)
- Re: Help with Snort Processor Joel Esler (jesler) via Snort-users (Oct 26)