Snort mailing list archives
Re: [Emerging-Sigs] Suspicious DNS rule
From: James Lay via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 02 Aug 2018 04:10:32 -0600
Could be....maybe sandbox inetsim detection...hrmm....just not sure. James On Wed, 2018-08-01 at 19:31 +0000, Y M wrote:
Here is a lousy theory: these appear to be the octal representation of the hexadecimal values of the two extended ascii characters? CAh > Ê capital e with circumflex > CA (hex) = 312 (oct) B1h > ± plus-or-minus sign > B1 (hex) = 261 (oct) Why? I have no idea :) YM From: Emerging-sigs <emerging-sigs-bounces () lists emergingthreats net> on behalf of James Lay <jlay () slave-tothe-box net> Sent: Tuesday, July 31, 2018 8:16 PM To: emerging-sigs; Snort-Sigs Subject: [Emerging-Sigs] Suspicious DNS rule So ok....I got three samples, two agent telsa, one formbook, all exhibit the following: list of samples on any_run: https://app.any.run/tasks/33d3e229-fba7-476b-8ec9-7464eacb1ca3 https://app.any.run/tasks/6d9371e7-249b-47d1-bbbb-cf66dd34e30b https://app.any.run/tasks/065b87cb-a6d3-4dc7-a06f-a893281b4263 these request show up funky: my only guess is a specific packer is calling out as the three samples are all .NET. Anyway sig below: alert udp $HOME_NET any -> any 53 (msg:"Suspicious DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00 02 ca b1 03 6f 72 67 00|"; fast_pattern:only; classtype:trojan-activity; sid:XXXXXX; rev:1; metadata:created_at 2018_07_31;) if someone has any more insight I'd love to know what this really is. Thank you. James
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Suspicious DNS rule James Lay via Snort-sigs (Jul 31)
- Re: Suspicious DNS rule Marcos Rodriguez (Aug 01)
- Re: [Emerging-Sigs] Suspicious DNS rule Y M via Snort-sigs (Aug 01)
- Re: [Emerging-Sigs] Suspicious DNS rule James Lay via Snort-sigs (Aug 02)
- Re: Suspicious DNS rule James Lay via Snort-sigs (Aug 16)