[Snort-sigs] DNS Reverse Shell sig

James Lay jlay at ...3266...
Wed Feb 4 14:50:16 EST 2015

In my testing of 
http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html I 
noticed that during the reverse shell session a semi-constant showed 
up...namely a character followed by a dash, followed by 56 other 
characters.  Pretty sure this could be changed in the python code, but 
this will catch this in it's current form.  It will not fire on each and 
every dns query, but will most likely fire at least during the session.

alert udp $HOME_NET any -> any 53 (msg:"Possible Python Reverse DNS 
Shell"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; 
fast_pattern; pcre:"/[a-z]-[a-z0-9]{56}/i"; 
classtype:bad-unknown; sid:10000150; rev:1;)

This WILL most likely FP if you're looking for a domain that matches 
the above style, but I couldn't find any such domain in my logs.  Enjoy.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: reversednsshell-select.pcapng
Type: application/octet-stream
Size: 1552 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150204/327eb8bc/attachment.obj>

More information about the Snort-sigs mailing list