Home page logo
/

snort logo Snort mailing list archives

External DNS 127.0.0.1 response
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 19 Apr 2013 12:12:22 -0600

Bot suspension technique:

alert udp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"INDICATOR-COMPROMISE External DNS 127.0.0.1 response, possible bot 
suspension"; flow:from_server; content:"127.0.0.1"; fast_pattern:only; metadata:impact_flag red, service dns; 
classtype:trojan-activity; sid:10000048; rev:1;)

James
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]