[Snort-sigs] BOTNET-CNC Possible host infection - excessive DNS queries for .eu

Martin Holste mcholste at ...2420...
Mon Mar 12 12:46:46 EDT 2012

Not this one, but many like it based on excessive DNS lookups have
caused problems.  I agree that .eu is less common.  My point was that
adding !$SMTP_SERVERS is generally a good thing to do for DNS-based

On Mon, Mar 12, 2012 at 10:59 AM, Joel Esler <jesler at ...435...> wrote:
> Are you running this rule and seeing false positives?
> On Mar 12, 2012, at 11:46 AM, Martin Holste wrote:
>> My point was that you should probably use at least !$SMTP_SERVERS for
>> the srcip.  I can definitely understand not wanting to also add
>> !$DNS_SERVERS since a compromised client could (will?) be using the
>> org's DNS servers to do the lookups.  In any case, it's clear that the
>> rule is more for demonstrative purposes than anything, but that's why
>> I wanted to raise the point regarding some of the pitfalls of
>> detection_filter based rules for any new rule-writers out there.
>> On Mon, Mar 12, 2012 at 10:27 AM, Joel Esler <jesler at ...435...> wrote:
>>> On Mon, Mar 12, 2012 at 11:21 AM, Community Signatures
>>> <lists at ...3397...> wrote:
>>>> On 03/12/12 10:14, Martin Holste wrote:
>>>>> The sig, as written, will false like crazy on any medium or large
>>>>> sized network because it does not take into account DNS servers or
>>>>> SMTP servers (or spam gateways) which do a lot of DNS lookups.
>>>> I dunno, "detection_filter:track by_src, count 100, seconds 10;" -- even
>>>> in this high volume networks I would tend to agree that 10
>>>> queries/second is suspicious when 100 after 10 seconds is reached.
>>> We've had one report of a false positive on a rule similar to this as a
>>> result of Chrome doing pre-fetching on certain sites (.ru, not .eu) so I am
>>> sure it could happen.  If there are 100 external links NOT with the same
>>> domain name on a single page.
>>> This is an indicator of compromise.  In the new rule category system:
>>> http://blog.snort.org/2012/03/rule-category-reorganization.html
>>> This will go in INDICATOR-COMPROMISE
>>> --
>>> Joel Esler
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire

More information about the Snort-sigs mailing list