[Snort-sigs] Rule 3:30881

James Lay jlay at ...3266...
Fri Oct 21 13:41:38 EDT 2016


Thanks Jeremy.  Yea this one is odd...I may have to craft a custom 
exclude filter for maybe "cat-server-lb-tus1gwynwapex"...I don't want to 
just event filter the entire rule since ya..it's catching exfiltration 
via UDP.

James

On 2016-10-20 17:13, Jeremy Hoel wrote:
> So for this type of rule, for the clients I have been working with, I
> tell them that there isn't a great way to filter this.  It's looking
> for everly long DNS queries, which rack space providers offer and
> while it can be assumed that someone doing malware things wouldn't use
> computername.ip.info.amazon.aws  (or some other long dns exfiltration
> scheme).. it should be able to exclude CDNs and some AWS domains..
> just knowing that you might be opening it up to other things.
> 
> I have been thinking about how to do other things in order to prevent
> FPs, but I couldn't come up with anything that could also be used by
> the bad guys.  As people use more cloud based services, this is going
> to become harder to use.  A better option might be to just capture DNS
> queries and quickly query that
> 
> On Thu, Oct 20, 2016 at 7:05 AM, James Lay <jlay at ...3266...>
> wrote:
> 
>> Rule:
>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns
>> request with long host name segment - possible data exfiltration
>> attempt"; sid:30881; gid:3; rev:4; classtype:attempted-recon;
>> metadata:
>> engine shared, soid 3|30881, service dns;)
>> 
>> Hit
>> [3:30881:3] MALWARE-OTHER dns request with long host name segment -
>> possible data exfiltration attempt [Classification: Attempted
>> Information Leak] [Priority: 2] {UDP} x.x.x.x:64712 -> x.x.x.x:53
>> 
>> dns request
>> cat-server-lb-tus1gwynwapex01-368602537.us-east-1.elb.amazonaws.com
>> [1]
>> 
>> I'm hoping you folks can look at this instead of myself just blindly
>> event_filtering this rule.  Thank you.
>> 
>> James
>> 
>> 
> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs [2]
>> http://www.snort.org
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
> 
> 
> 
> Links:
> ------
> [1] 
> http://cat-server-lb-tus1gwynwapex01-368602537.us-east-1.elb.amazonaws.com
> [2] https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list