Re: SID 1-44076 Suspicious .trade dns query

[wkitty42 () windstream net]

On 05/29/2018 09:46 AM, Jorge Junco wrote:
> Sorry, a'm really new here and it seem to be a simple question...


we all started somewhere :)


> MY DC ist up-to date! Does it mean the Sophos Firewall Software or my Windows 
> Updates?


the first step is to determine /where/ those .trade DNS lookups are coming 
from... there may be a machine on your network making them... i don't know if 
alerting on those lookups means there is something bad on your network or if 
they are just an indicator of something that might be bad... it is possible that 
they may lead to something bad... generally these types of rules are in the 
policy category...

anyway, once you determine where those lookups are coming from, then you have to 
determine /why/... if it is a legit lookup from an allowed application, then you 
may want to disable that rule for that one system's IP (hint: threshold.conf)... 
if it is not legit, then you have some bit of a mess to clean up on that machine...

to find out where the lookup is coming from, you could look in the logs for 
snort or in the database, if your setup has such a monitoring and reporting 
capability... worst case is you would look at the pcap file that alert is saved 
in using something like wireshark (gui) or tcpdump (cli)...


--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!