[Snort-sigs] External DNS 127.0.0.1 response

James Lay jlay at ...3266...
Sat Apr 20 10:43:43 EDT 2013


Yea so this rule is a semi bust due to exactly where you hit it Nathan…RBL and SBL lookups will FP on this.  That being said however this rule might be helpful in organizations that don't host their own mail server:

alert udp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"INDICATOR-COMPROMISE External DNS 127.0.0.1 response, possible bot suspension"; content:"|7F 00 00 01|"; fast_pattern:only; classtype:trojan-activity; sid:10000048;rev:1;)



And this one below could be useful for internal localhost dns response…I'm thinking compromised workstation sends request to say your domain controller and the domain controller sends this back

alert udp $DNS_SERVERS 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE DNS 127.0.0.1 response, possible bot suspension"; flow:from_server; content:"|7F 00 00 01|"; fast_pattern:only; metadata:impact_flag red, service dns; classtype:trojan-activi
ty; sid:10000049; rev:2;)

Maybe useful, maybe not…and I love the flow I put in on the original one….good grief 8-|

James


On Apr 19, 2013, at 12:31 PM, James Lay <jlay at ...3266...> wrote:

> 
> On Apr 19, 2013, at 12:23 PM, "lists at ...3397..." <lists at ...3397...> wrote:
> 
>> On 04/19/2013 01:12 PM, James Lay wrote:
>>> Bot suspension technique:
>>> 
>>> alert udp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"INDICATOR-COMPROMISE External DNS 127.0.0.1 response, possible bot suspension"; flow:from_server; content:"127.0.0.1"; fast_pattern:only; metadata:impact_flag red, service dns; classtype:trojan-activity; sid:10000048; rev:1;)
>> 
>> Hey bro, won't this false positive on some RBL/SBL lookups for example, those
>> that return 127.0.0.1[0-9]?$ like SORBS and SpamHaus?
>> 
>> http://www.spamhaus.org/faq/section/DNSBL%20Usage#200
>> http://www.sorbs.net/using.shtml
>> etc
>> 
>> Cheers,
>> Nathan
> 
> 
> LoL…totally didn't think of that..running now and we'll see if I get FP's :)
> 
> James
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list