[Snort-sigs] External DNS 127.0.0.1 response

lists at ...3397... lists at ...3397...
Fri Apr 19 14:23:55 EDT 2013


On 04/19/2013 01:12 PM, James Lay wrote:
> Bot suspension technique:
> 
> alert udp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"INDICATOR-COMPROMISE External DNS 127.0.0.1 response, possible bot suspension"; flow:from_server; content:"127.0.0.1"; fast_pattern:only; metadata:impact_flag red, service dns; classtype:trojan-activity; sid:10000048; rev:1;)

Hey bro, won't this false positive on some RBL/SBL lookups for example, those
that return 127.0.0.1[0-9]?$ like SORBS and SpamHaus?

http://www.spamhaus.org/faq/section/DNSBL%20Usage#200
http://www.sorbs.net/using.shtml
etc

Cheers,
Nathan





More information about the Snort-sigs mailing list