[Snort-sigs] DNS Reverse Shell sig

James Lay jlay at ...3266...
Wed Feb 4 15:59:14 EST 2015


On 2015-02-04 01:29 PM, rmkml wrote:
> Thx James for sharing,
>
> Length is always the same, add 0x3A (dns length) like this ?
> Add "-" for better performance ?
> modify pcre to use relative?
>
alert udp $HOME_NET any -> any 53 (msg:"Possible Python Reverse DNS 
Shell"; content:"|01 00 00 01 00 00 00 00 00 00 3A|"; depth:11; 
offset:2; fast_pattern; content:"-"; within:1; distance:1; 
pcre:"/^[a-z0-9]{56}/Ri"; 
reference:url,lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html; 
classtype:bad-unknown; sid:10000150; rev:2;)
>
> Best Regards
> @Rmkml
>
>
> On Wed, 4 Feb 2015, James Lay wrote:
>
>> In my testing of 
>> http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html I 
>> noticed that during the reverse shell session a semi-constant showed 
>> up...namely a character followed by a dash, followed by 56 other 
>> characters.  Pretty sure this could be changed in the python code, but 
>> this will catch this in it's current form.  It will not fire on each 
>> and every dns query, but will most likely fire at least during the 
>> session.
>>
>> alert udp $HOME_NET any -> any 53 (msg:"Possible Python Reverse DNS 
>> Shell"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; 
>> fast_pattern; pcre:"/[a-z]-[a-z0-9]{56}/i"; 
>> reference:url,lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html; 
>> classtype:bad-unknown; sid:10000150; rev:1;)
>>
>> This WILL most likely FP if you're looking for a domain that matches 
>> the above style, but I couldn't find any such domain in my logs.  
>> Enjoy.
>>
>> James

That's a good idea..would that still catch the initial "[a-zA-Z]-" at 
the start though?  Or just the "-[a-z0-9]{56}"...thanks RM!

James




More information about the Snort-sigs mailing list