[Snort-sigs] BOTNET-CNC Possible host infection - excessive DNS queries for .eu

Martin Holste mcholste at ...2420...
Mon Mar 12 11:46:20 EDT 2012


My point was that you should probably use at least !$SMTP_SERVERS for
the srcip.  I can definitely understand not wanting to also add
!$DNS_SERVERS since a compromised client could (will?) be using the
org's DNS servers to do the lookups.  In any case, it's clear that the
rule is more for demonstrative purposes than anything, but that's why
I wanted to raise the point regarding some of the pitfalls of
detection_filter based rules for any new rule-writers out there.

On Mon, Mar 12, 2012 at 10:27 AM, Joel Esler <jesler at ...435...> wrote:
> On Mon, Mar 12, 2012 at 11:21 AM, Community Signatures
> <lists at ...3397...> wrote:
>>
>> On 03/12/12 10:14, Martin Holste wrote:
>> > The sig, as written, will false like crazy on any medium or large
>> > sized network because it does not take into account DNS servers or
>> > SMTP servers (or spam gateways) which do a lot of DNS lookups.
>>
>> I dunno, "detection_filter:track by_src, count 100, seconds 10;" -- even
>> in this high volume networks I would tend to agree that 10
>> queries/second is suspicious when 100 after 10 seconds is reached.
>>
>
> We've had one report of a false positive on a rule similar to this as a
> result of Chrome doing pre-fetching on certain sites (.ru, not .eu) so I am
> sure it could happen.  If there are 100 external links NOT with the same
> domain name on a single page.
>
> This is an indicator of compromise.  In the new rule category system:
> http://blog.snort.org/2012/03/rule-category-reorganization.html
>
> This will go in INDICATOR-COMPROMISE
>
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>




More information about the Snort-sigs mailing list