[Snort-sigs] False positives for symcb.com

Robert Pritchard rob at ...3966...
Wed Oct 15 08:08:19 EDT 2014


Hello

Two new rules seem to be generating false positives, and indeed I think
they are flagging something non malicious in the first place. The
signature IDs are 32174 and 32173, which are flagging DNS requests for
sr & s2.symcd.com as known malware domains.

As far as I can tell this is incorrect. This is a domain registered to
Symantec which appears to be used for OCSP.

Whois for symcd.com gives:

Registrant Name: Domain Manager
Registrant Organization: Symantec Corporation
Registrant Street: 350 Ellis Street
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US
Registrant Phone: +1.6505278000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains at ...3967...
Registry Admin ID:
Admin Name: Domain Manager
Admin Organization: Symantec Corporation
Admin Street: 350 Ellis Street
Admin City: Mountain View
Admin State/Province: CA
Admin Postal Code: 94043
Admin Country: US
Admin Phone: +1.6505278000
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains at ...3967...

Dig shows:

$ dig -t A sr.symcd.com

; <<>> DiG 9.8.3-P1 <<>> -t A sr.symcd.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29277
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;sr.symcd.com.            IN    A

;; ANSWER SECTION:
sr.symcd.com.        1022    IN    CNAME   
ocsp.ws.symantec.com.edgekey.net.
ocsp.ws.symantec.com.edgekey.net. 6101 IN CNAME    e8218.ce.akamaiedge.net.
e8218.ce.akamaiedge.net. 20    IN    A    23.43.75.27

;; Query time: 59 msec
;; SERVER: 46.32.224.29#53(46.32.224.29)
;; WHEN: Wed Oct 15 13:16:19 2014
;; MSG SIZE  rcvd: 126

When I look for connections to 23.43.75.27 I see nothing but OCSP
requests, to those domains and others.

Happy to be proved wrong (it's not unusual!), but I think these domains
have been flagged as malicious in error.

Rob

-- 

Rob Pritchard
www.thecybersecurityexpert.com
Mobile: +44 7968 828122
Office: +44 20 3290 4065
Skype: thecybersecurityexpert






More information about the Snort-sigs mailing list