Re: 45907 FP

[James Lay via Snort-sigs <snort-sigs () lists snort org>]

Hi Nicholas!

Thank you for the mod.

James

P.S. You're right I have been quiet....which....is kind of a change of
pace for me I guess ☺

On Tue, 2020-05-26 at 15:46 +0000, Nicholas Mavis (nmavis) wrote:
> Hey James,
>
>
>
>
>
> Good to see you on the list again.
>
>
>
>
>
>
>
> Detecting flow direction can be difficult for DNS rules but I think
> this rule should be "$HOME_NET any -> any 53" to cover requests to
> both internal and external DNS servers originating from your network.
>
>
>
>
>
> I'm going to make a revision to this rule for you.
>
>
>
>
>
> Thanks,
>
> Nick Mavis
>
> Sr. Research Engineer, Talos
>
>
>
>
> From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of
> James Lay via Snort-sigs <snort-sigs () lists snort org>
>
> Sent: Sunday, May 24, 2020 7:06 AM
>
> To: Snort-Sigs <snort-sigs () lists snort org>
>
> Subject: [Snort-sigs] 45907 FP
>  
>
>
> Seen about 5 of these starting on the 15th...this is an incoming
> request
>  for aaa[.]stage[.]no[.]offense from 212.92.125.191:
>
>
>
>
> 05/24-10:02:05.674357  [**] [1:45907:1] MALWARE-CNC Cobalt Strike DNS
> beacon outbound TXT record [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {UDP} 212.92.124.191:41900 -> x.x.x.x:53
>
>
>
> James


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!