[Snort-sigs] indicator DNS queries

Y M snort at outlook.com
Fri Dec 8 09:04:50 EST 2017

Please keep the posts on the list.

I’m not sure if you are asking or thinking out loud. Either way, probably no one can help you answer that question, but you. That’s why I stressed “your environment” in my previous response.

From: Weissenburger, Steve <scweissen at tegna.com>
Sent: Friday, December 8, 2017 4:26:07 PM
To: Y M
Subject: RE: [Snort-sigs] indicator DNS queries

Thanks for the response…now how to find the queries from our internal hosts.

From: Y M [mailto:snort at outlook.com]
Sent: Thursday, December 07, 2017 2:53 PM
To: Weissenburger, Steve <scweissen at tegna.com>; snort-sigs at lists.snort.org
Subject: Re: [Snort-sigs] indicator DNS queries

*External Email – Be Suspicious of Attachments, Links and Requests for Login Information*
These rules detect DNS queries generated from the protected/home network to domain(s) ending with top-level domains (TLD) “win”, “top”, and “tk”. Depending on your environment, domains under these TLDs might be suspicious, specifically the ones with “win” and “top”.

You need to identify the sources of these queries (obviously not the DNS servers, but the clients requesting the domains) and determine their legitimacy based on your environment and security requirements. Most often, I have seen these originating from mail gateways due the sheer amount of spam sent from these domains. Your environment maybe different.

From: Snort-sigs <snort-sigs-bounces at lists.snort.org<mailto:snort-sigs-bounces at lists.snort.org>> on behalf of Weissenburger, Steve <scweissen at tegna.com<mailto:scweissen at tegna.com>>
Sent: Tuesday, December 5, 2017 8:44:53 PM
To: snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>
Subject: [Snort-sigs] indicator DNS queries

I’m being hit with these three snort rules and trying to find more info on what exactly these are doing but coming up empty. Can anyone provide more insight? I’m a snort newbie.


INDICATOR-COMPROMISE Suspicious .win dns query (1:44077:1)
INDICATOR-COMPROMISE Suspicious .top dns query (1:43687:1)
INDICATOR-COMPROMISE Suspicious .tk dns query (1:39867:3)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20171208/6ff0e197/attachment-0001.html>

More information about the Snort-sigs mailing list