[Snort-sigs] External DNS 127.0.0.1 response

James Lay jlay at ...3266...
Fri Apr 19 14:12:22 EDT 2013


Bot suspension technique:

alert udp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"INDICATOR-COMPROMISE External DNS 127.0.0.1 response, possible bot suspension"; flow:from_server; content:"127.0.0.1"; fast_pattern:only; metadata:impact_flag red, service dns; classtype:trojan-activity; sid:10000048; rev:1;)

James



More information about the Snort-sigs mailing list