[Snort-users] Need help to detect BOTNET-CNC Palevo bot DNS attack

James Lay jlay at ...13475...
Sun Dec 11 09:38:56 EST 2011

On Dec 11, 2011, at 12:23 AM, babu dheen wrote:

> Dear,
>  We are using Astaro Firewall with IPS in pass through mode for last one year. We have been noticing  many number of  "BOTNET-CNC Palevo bot DNS request for C&C attempt" attack showing in IPS summery report wherein source address and destination address showing only DNS server which source address is my company internal DNS server and destination is ISP DNS server.
> We would like to find out the botnet infected clients which this IPS report shows. To help on this, we would like to know from which central URLs snort is downloading malware domains in its database so that we can refer the common URL against the DNS logs and find out the infected clients list.
> I need your valuable help and guidelines on this.
> Note: As you know, Astaro firewall is using Snort signature for IPS functionality.
> Rule ID
> Rule Nmae
> Group
> Events
> 16297
> BOTNET-CNC Palevo bot DNS
> request for C&C attempt
> Server
> 1018
> Regards
> Babu

Look at the rule dude:

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BOTNET-CNC Palevo bot DNS request for C&C attempt"; flow:to_server; content:"butterfly|05|sinip|02|es"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/analisis/c790a26f38070632759f481a87ed60c1628dea723ad63577cfe373de6b81e0a7-1249566492; classtype:trojan-activity; sid:16297; rev:3;)

Looks like it's not concerned with a list, but with data content.  I'd turn on DNS logging on your internal server to find out which internal machines may be infected.  Hope that helps.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111211/054d9ed7/attachment.html>

More information about the Snort-users mailing list