[Snort-users] OT: DNS sinkhole question
Jason_Haar at ...15306...
Wed Dec 4 17:04:35 EST 2013
We've got a couple of hits on the "BLACKLIST Connection to malware sinkhole" rules
as well as the "ET TROJAN Known Sinkhole Response Header". Basically snort is alerting
when a website returns "X-Sinkhole: Malware sinkhole".
The problem is the captured packet is coming from our proxy server,
meaning I cannot track it back to a client IP. The destination was
220.127.116.11 and I'm hoping someone here knows what organization is responsible for
I have a suggestion for them that it would be majorly better if these Sinkholes
returned something like:
X-Sinkhole: Malware sinkhole
where X-Sinkhole-Webhost is the hostname the client connected to. Then
I'd be able to grep for cnc-hacked.domain.com in the proxy logs and
thereby discover the affected client PC.
In fact, ET rule sid:2017662 matches on "X-Sinkholed-Domain:" - which smells very similar to
my "X-Sinkhole-Webhost:" idea, so it could be that some sinkholes do it - but not all?
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users