[Snort-sigs] indicator DNS queries

Y M snort at outlook.com
Thu Dec 7 14:52:34 EST 2017

These rules detect DNS queries generated from the protected/home network to domain(s) ending with top-level domains (TLD) “win”, “top”, and “tk”. Depending on your environment, domains under these TLDs might be suspicious, specifically the ones with “win” and “top”.

You need to identify the sources of these queries (obviously not the DNS servers, but the clients requesting the domains) and determine their legitimacy based on your environment and security requirements. Most often, I have seen these originating from mail gateways due the sheer amount of spam sent from these domains. Your environment maybe different.

From: Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of Weissenburger, Steve <scweissen at tegna.com>
Sent: Tuesday, December 5, 2017 8:44:53 PM
To: snort-sigs at lists.snort.org
Subject: [Snort-sigs] indicator DNS queries

I’m being hit with these three snort rules and trying to find more info on what exactly these are doing but coming up empty. Can anyone provide more insight? I’m a snort newbie.


INDICATOR-COMPROMISE Suspicious .win dns query (1:44077:1)
INDICATOR-COMPROMISE Suspicious .top dns query (1:43687:1)
INDICATOR-COMPROMISE Suspicious .tk dns query (1:39867:3)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20171207/61e35692/attachment-0001.html>

More information about the Snort-sigs mailing list