[Snort-users] OT: DNS sinkhole question

waldo kitty wkitty42 at ...14940...
Wed Dec 4 18:49:32 EST 2013


On 12/4/2013 5:04 PM, Jason Haar wrote:
> Hi there
>
> We've got a couple of hits on the "BLACKLIST Connection to malware sinkhole" rules
> as well as the "ET TROJAN Known Sinkhole Response Header". Basically snort is alerting
> when a website returns "X-Sinkhole: Malware sinkhole".
>
> The problem is the captured packet is coming from our proxy server,
> meaning I cannot track it back to a client IP. The destination was
> 166.78.144.80 and I'm hoping someone here knows what organization is responsible for
> that sinkhole?

yeah, agreed... s01.sinkhole.malware.suspended.domain is definitely an invalid 
domain name... the IP belongs to rackspace and has been assigned to their cloud 
services... whoever is maintaining the revers lookup for that IP needs to FTS 
(FixTheirStuff)...

additionally, you really should be sniffing on the other side of your proxy so 
that you can trace back to the originating IP... but then again, your proxy logs 
should also contain this information? maybe not as a domain name but the 
destination IP should be logged, right?

> I have a suggestion for them that it would be majorly better if these Sinkholes
> returned something like:
>
> X-Sinkhole: Malware sinkhole
> X-Sinkhole-Webhost: cnc-hacked.domain.com

that would be one thing that could help...

> where X-Sinkhole-Webhost is the hostname the client connected to. Then
> I'd be able to grep for cnc-hacked.domain.com in the proxy logs and
> thereby discover the affected client PC.

as noted above, can't you grep for the IP? i mean any machines connecting to 
that IP, no matter what domain they are looking for, are in deep poo and need to 
be cleaned ;)

> In fact, ET rule sid:2017662 matches on "X-Sinkholed-Domain:" - which smells very similar to
> my "X-Sinkhole-Webhost:" idea, so it could be that some sinkholes do it - but not all?

kinda looks that way ;)

FWIW: i can think of three that are providing sinkholes... microsoft, google and 
at least one AV group... sophos i think but not sure... it would be nice if 
there was a listing of sinkholes and what domains they are sinkholeing... i know 
that others have run afoul of xome when they've sinkholed IPs that were already 
sinkholed... m$ has at least twice...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com





More information about the Snort-users mailing list