[Snort-sigs] indicator DNS queries

Weissenburger, Steve scweissen at tegna.com
Tue Dec 5 12:44:53 EST 2017


Hello,
I'm being hit with these three snort rules and trying to find more info on what exactly these are doing but coming up empty. Can anyone provide more insight? I'm a snort newbie.

Thanks,
Steve

INDICATOR-COMPROMISE Suspicious .win dns query (1:44077:1)
INDICATOR-COMPROMISE Suspicious .top dns query (1:43687:1)
INDICATOR-COMPROMISE Suspicious .tk dns query (1:39867:3)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20171205/44d2b6eb/attachment.html>


More information about the Snort-sigs mailing list