[Snort-sigs] International Domain Name access

James Lay jlay at ...3266...
Tue May 7 18:58:05 EDT 2013


Just had a hootin good time here....never seen a host like this before:

xn----4tbbdcdd.xn--p1ai

The below should alert on web access...not sure if I'll sig up DNS 
requests.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY 
International Domain Name web access"; flow:to_server,established; 
content:"Host|3a|"; content:"xn--"; http_header; within:100; 
classtype:trojan-activity; metadata:ruleset community; 
reference:url,http://blogs.msdn.com/b/ie/archive/2006/07/31/684337.aspx; 
sid:10000052; rev:1;)

Maybe useful, maybe not.

James




More information about the Snort-sigs mailing list