[Snort-users] OT: DNS sinkhole question
wkitty42 at ...14940...
Wed Dec 4 18:49:32 EST 2013
On 12/4/2013 5:04 PM, Jason Haar wrote:
> Hi there
> We've got a couple of hits on the "BLACKLIST Connection to malware sinkhole" rules
> as well as the "ET TROJAN Known Sinkhole Response Header". Basically snort is alerting
> when a website returns "X-Sinkhole: Malware sinkhole".
> The problem is the captured packet is coming from our proxy server,
> meaning I cannot track it back to a client IP. The destination was
> 188.8.131.52 and I'm hoping someone here knows what organization is responsible for
> that sinkhole?
yeah, agreed... s01.sinkhole.malware.suspended.domain is definitely an invalid
domain name... the IP belongs to rackspace and has been assigned to their cloud
services... whoever is maintaining the revers lookup for that IP needs to FTS
additionally, you really should be sniffing on the other side of your proxy so
that you can trace back to the originating IP... but then again, your proxy logs
should also contain this information? maybe not as a domain name but the
destination IP should be logged, right?
> I have a suggestion for them that it would be majorly better if these Sinkholes
> returned something like:
> X-Sinkhole: Malware sinkhole
> X-Sinkhole-Webhost: cnc-hacked.domain.com
that would be one thing that could help...
> where X-Sinkhole-Webhost is the hostname the client connected to. Then
> I'd be able to grep for cnc-hacked.domain.com in the proxy logs and
> thereby discover the affected client PC.
as noted above, can't you grep for the IP? i mean any machines connecting to
that IP, no matter what domain they are looking for, are in deep poo and need to
be cleaned ;)
> In fact, ET rule sid:2017662 matches on "X-Sinkholed-Domain:" - which smells very similar to
> my "X-Sinkhole-Webhost:" idea, so it could be that some sinkholes do it - but not all?
kinda looks that way ;)
FWIW: i can think of three that are providing sinkholes... microsoft, google and
at least one AV group... sophos i think but not sure... it would be nice if
there was a listing of sinkholes and what domains they are sinkholeing... i know
that others have run afoul of xome when they've sinkholed IPs that were already
sinkholed... m$ has at least twice...
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
This email is free from viruses and malware because avast! Antivirus protection is active.
More information about the Snort-users