[Snort-sigs] BOTNET-CNC Possible host infection - excessive DNS queries for .eu

Alex Kirk akirk at ...435...
Mon Mar 12 10:41:10 EDT 2012

First, you need the ".eu" bit because you need to have a content match in
the rule, else performance will suffer massively. Second, and more
important, the behavior we've seen centers around this particular TLD (and
a couple of others for which we have rules); we're targeting there to keep
false positives down.

As far as this picking up other malware - chances are high it will. The
rule of thumb is to take a look at the domain names in the alerts, and
determine whether they're legitimate or not (which is usually obvious
because malicious ones are randomized), and then track back to the boxes
generating the queries for a thorough scan/investigation.

On Sun, Mar 11, 2012 at 8:00 AM, Yew Chuan Ong <yewchuan88 at ...2420...> wrote:

> Hi,
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BOTNET-CNC Possible host
> infection - excessive DNS queries for .eu"; flow:to_server;
> byte_test:1,!&,0xF8,2; content:"|02|eu|00|"; fast_pattern:only;
> detection_filter:track by_src, count 100, seconds 10;
> classtype:trojan-activity; sid:21544; rev:1;)
> This is the new sig posted on VRT blog recently which aimed to find out
> malware within the network. I am wondering why we need to specific on the
> keyword ".eu". Can we tracked the related traffic by using only the
> threshold?
> Also, are we aiming on any specific malware besides Murofet and Kazy? I
> try to google around but can't really get it. Thanks!
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120312/de9b7c04/attachment.html>

More information about the Snort-sigs mailing list