[Snort-sigs] DNS Reverse Shell sig

rmkml rmkml at ...174...
Wed Feb 4 15:29:33 EST 2015


Thx James for sharing,

Length is always the same, add 0x3A (dns length) like this ?
Add "-" for better performance ?
modify pcre to use relative?

alert udp $HOME_NET any -> any 53 (msg:"Possible Python Reverse DNS Shell";
  content:"|01 00 00 01 00 00 00 00 00 00 3A|"; depth:11; offset:2; fast_pattern;
  content:"-"; within:1; distance:1;
  pcre:"/^[a-z0-9]{56}/Ri";
  reference:url,lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html;
  classtype:bad-unknown; sid:10000150; rev:2;)

Best Regards
@Rmkml


On Wed, 4 Feb 2015, James Lay wrote:

> In my testing of 
> http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html I noticed 
> that during the reverse shell session a semi-constant showed up...namely a 
> character followed by a dash, followed by 56 other characters.  Pretty sure 
> this could be changed in the python code, but this will catch this in it's 
> current form.  It will not fire on each and every dns query, but will most 
> likely fire at least during the session.
>
> alert udp $HOME_NET any -> any 53 (msg:"Possible Python Reverse DNS Shell"; 
> content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; fast_pattern; 
> pcre:"/[a-z]-[a-z0-9]{56}/i"; 
> reference:url,lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html; 
> classtype:bad-unknown; sid:10000150; rev:1;)
>
> This WILL most likely FP if you're looking for a domain that matches the 
> above style, but I couldn't find any such domain in my logs.  Enjoy.
>
> James




More information about the Snort-sigs mailing list