[Snort-sigs] False positives for symcb.com
rob at ...3966...
Wed Oct 15 08:08:19 EDT 2014
Two new rules seem to be generating false positives, and indeed I think
they are flagging something non malicious in the first place. The
signature IDs are 32174 and 32173, which are flagging DNS requests for
sr & s2.symcd.com as known malware domains.
As far as I can tell this is incorrect. This is a domain registered to
Symantec which appears to be used for OCSP.
Whois for symcd.com gives:
Registrant Name: Domain Manager
Registrant Organization: Symantec Corporation
Registrant Street: 350 Ellis Street
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US
Registrant Phone: +1.6505278000
Registrant Phone Ext:
Registrant Fax Ext:
Registrant Email: domains at ...3967...
Registry Admin ID:
Admin Name: Domain Manager
Admin Organization: Symantec Corporation
Admin Street: 350 Ellis Street
Admin City: Mountain View
Admin State/Province: CA
Admin Postal Code: 94043
Admin Country: US
Admin Phone: +1.6505278000
Admin Phone Ext:
Admin Fax Ext:
Admin Email: domains at ...3967...
$ dig -t A sr.symcd.com
; <<>> DiG 9.8.3-P1 <<>> -t A sr.symcd.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29277
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;sr.symcd.com. IN A
;; ANSWER SECTION:
sr.symcd.com. 1022 IN CNAME
ocsp.ws.symantec.com.edgekey.net. 6101 IN CNAME e8218.ce.akamaiedge.net.
e8218.ce.akamaiedge.net. 20 IN A 220.127.116.11
;; Query time: 59 msec
;; SERVER: 18.104.22.168#53(22.214.171.124)
;; WHEN: Wed Oct 15 13:16:19 2014
;; MSG SIZE rcvd: 126
When I look for connections to 126.96.36.199 I see nothing but OCSP
requests, to those domains and others.
Happy to be proved wrong (it's not unusual!), but I think these domains
have been flagged as malicious in error.
Mobile: +44 7968 828122
Office: +44 20 3290 4065
More information about the Snort-sigs