[Snort-sigs] Rule 3:30881

James Lay jlay at ...3266...
Thu Oct 20 10:05:21 EDT 2016


Rule:
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns 
request with long host name segment - possible data exfiltration 
attempt"; sid:30881; gid:3; rev:4; classtype:attempted-recon; metadata: 
engine shared, soid 3|30881, service dns;)

Hit
[3:30881:3] MALWARE-OTHER dns request with long host name segment - 
possible data exfiltration attempt [Classification: Attempted 
Information Leak] [Priority: 2] {UDP} x.x.x.x:64712 -> x.x.x.x:53

dns request
cat-server-lb-tus1gwynwapex01-368602537.us-east-1.elb.amazonaws.com

I'm hoping you folks can look at this instead of myself just blindly 
event_filtering this rule.  Thank you.

James




More information about the Snort-sigs mailing list