[Snort-sigs] External DNS 127.0.0.1 response

James Lay jlay at ...3266...
Fri Apr 19 14:31:52 EDT 2013


On Apr 19, 2013, at 12:23 PM, "lists at ...3397..." <lists at ...3397...> wrote:

> On 04/19/2013 01:12 PM, James Lay wrote:
>> Bot suspension technique:
>> 
>> alert udp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"INDICATOR-COMPROMISE External DNS 127.0.0.1 response, possible bot suspension"; flow:from_server; content:"127.0.0.1"; fast_pattern:only; metadata:impact_flag red, service dns; classtype:trojan-activity; sid:10000048; rev:1;)
> 
> Hey bro, won't this false positive on some RBL/SBL lookups for example, those
> that return 127.0.0.1[0-9]?$ like SORBS and SpamHaus?
> 
> http://www.spamhaus.org/faq/section/DNSBL%20Usage#200
> http://www.sorbs.net/using.shtml
> etc
> 
> Cheers,
> Nathan


LoL…totally didn't think of that..running now and we'll see if I get FP's :)

James



More information about the Snort-sigs mailing list