[Snort-users] OT: DNS sinkhole question

Jason Haar Jason_Haar at ...15306...
Wed Dec 4 17:04:35 EST 2013

Hi there

We've got a couple of hits on the "BLACKLIST Connection to malware sinkhole" rules 
as well as the "ET TROJAN Known Sinkhole Response Header". Basically snort is alerting
when a website returns "X-Sinkhole: Malware sinkhole".

The problem is the captured packet is coming from our proxy server,
meaning I cannot track it back to a client IP. The destination was and I'm hoping someone here knows what organization is responsible for 
that sinkhole?

I have a suggestion for them that it would be majorly better if these Sinkholes
returned something like:

X-Sinkhole: Malware sinkhole
X-Sinkhole-Webhost: cnc-hacked.domain.com

where X-Sinkhole-Webhost is the hostname the client connected to. Then
I'd be able to grep for cnc-hacked.domain.com in the proxy logs and
thereby discover the affected client PC.

In fact, ET rule sid:2017662 matches on "X-Sinkholed-Domain:" - which smells very similar to
my "X-Sinkhole-Webhost:" idea, so it could be that some sinkholes do it - but not all?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list