[Snort-sigs] BOTNET-CNC Possible host infection - excessive DNS queries for .eu

Joel Esler jesler at ...435...
Mon Mar 12 12:55:58 EDT 2012

Okay, thanks.  We'll keep that in mind.  For now we'll let it go and see if we get any FP reports from it and what we can do to address those.


On Mar 12, 2012, at 12:46 PM, Martin Holste wrote:

> Not this one, but many like it based on excessive DNS lookups have
> caused problems.  I agree that .eu is less common.  My point was that
> adding !$SMTP_SERVERS is generally a good thing to do for DNS-based
> sigs.
> On Mon, Mar 12, 2012 at 10:59 AM, Joel Esler <jesler at ...435...> wrote:
>> Are you running this rule and seeing false positives?
>> On Mar 12, 2012, at 11:46 AM, Martin Holste wrote:
>>> My point was that you should probably use at least !$SMTP_SERVERS for
>>> the srcip.  I can definitely understand not wanting to also add
>>> !$DNS_SERVERS since a compromised client could (will?) be using the
>>> org's DNS servers to do the lookups.  In any case, it's clear that the
>>> rule is more for demonstrative purposes than anything, but that's why
>>> I wanted to raise the point regarding some of the pitfalls of
>>> detection_filter based rules for any new rule-writers out there.
>>> On Mon, Mar 12, 2012 at 10:27 AM, Joel Esler <jesler at ...435...> wrote:
>>>> On Mon, Mar 12, 2012 at 11:21 AM, Community Signatures
>>>> <lists at ...3397...> wrote:
>>>>> On 03/12/12 10:14, Martin Holste wrote:
>>>>>> The sig, as written, will false like crazy on any medium or large
>>>>>> sized network because it does not take into account DNS servers or
>>>>>> SMTP servers (or spam gateways) which do a lot of DNS lookups.
>>>>> I dunno, "detection_filter:track by_src, count 100, seconds 10;" -- even
>>>>> in this high volume networks I would tend to agree that 10
>>>>> queries/second is suspicious when 100 after 10 seconds is reached.
>>>> We've had one report of a false positive on a rule similar to this as a
>>>> result of Chrome doing pre-fetching on certain sites (.ru, not .eu) so I am
>>>> sure it could happen.  If there are 100 external links NOT with the same
>>>> domain name on a single page.
>>>> This is an indicator of compromise.  In the new rule category system:
>>>> http://blog.snort.org/2012/03/rule-category-reorganization.html
>>>> This will go in INDICATOR-COMPROMISE
>>>> --
>>>> Joel Esler
>>>> Senior Research Engineer, VRT
>>>> OpenSource Community Manager
>>>> Sourcefire

More information about the Snort-sigs mailing list