[Snort-sigs] Rule 3:30881

Jeremy Hoel jthoel at ...2420...
Thu Oct 20 19:13:34 EDT 2016


So for this type of rule, for the clients I have been working with, I tell
them that there isn't a great way to filter this.  It's looking for everly
long DNS queries, which rack space providers offer and while it can be
assumed that someone doing malware things wouldn't use
computername.ip.info.amazon.aws  (or some other long dns exfiltration
scheme).. it should be able to exclude CDNs and some AWS domains.. just
knowing that you might be opening it up to other things.

I have been thinking about how to do other things in order to prevent FPs,
but I couldn't come up with anything that could also be used by the bad
guys.  As people use more cloud based services, this is going to become
harder to use.  A better option might be to just capture DNS queries and
quickly query that

On Thu, Oct 20, 2016 at 7:05 AM, James Lay <jlay at ...3266...> wrote:

> Rule:
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns
> request with long host name segment - possible data exfiltration
> attempt"; sid:30881; gid:3; rev:4; classtype:attempted-recon; metadata:
> engine shared, soid 3|30881, service dns;)
>
> Hit
> [3:30881:3] MALWARE-OTHER dns request with long host name segment -
> possible data exfiltration attempt [Classification: Attempted
> Information Leak] [Priority: 2] {UDP} x.x.x.x:64712 -> x.x.x.x:53
>
> dns request
> cat-server-lb-tus1gwynwapex01-368602537.us-east-1.elb.amazonaws.com
>
> I'm hoping you folks can look at this instead of myself just blindly
> event_filtering this rule.  Thank you.
>
> James
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161020/96af69a7/attachment.html>


More information about the Snort-sigs mailing list