Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OT: DNS sinkhole question

From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 04 Dec 2013 18:49:32 -0500
On 12/4/2013 5:04 PM, Jason Haar wrote:

Hi there

We've got a couple of hits on the "BLACKLIST Connection to malware sinkhole" rules
as well as the "ET TROJAN Known Sinkhole Response Header". Basically snort is alerting
when a website returns "X-Sinkhole: Malware sinkhole".

The problem is the captured packet is coming from our proxy server,
meaning I cannot track it back to a client IP. The destination was
166.78.144.80 and I'm hoping someone here knows what organization is responsible for
that sinkhole?


yeah, agreed... s01.sinkhole.malware.suspended.domain is definitely an invalid 
domain name... the IP belongs to rackspace and has been assigned to their cloud 
services... whoever is maintaining the revers lookup for that IP needs to FTS 
(FixTheirStuff)...

additionally, you really should be sniffing on the other side of your proxy so 
that you can trace back to the originating IP... but then again, your proxy logs 
should also contain this information? maybe not as a domain name but the 
destination IP should be logged, right?


I have a suggestion for them that it would be majorly better if these Sinkholes
returned something like:

X-Sinkhole: Malware sinkhole
X-Sinkhole-Webhost: cnc-hacked.domain.com


that would be one thing that could help...


where X-Sinkhole-Webhost is the hostname the client connected to. Then
I'd be able to grep for cnc-hacked.domain.com in the proxy logs and
thereby discover the affected client PC.


as noted above, can't you grep for the IP? i mean any machines connecting to 
that IP, no matter what domain they are looking for, are in deep poo and need to 
be cleaned ;)


In fact, ET rule sid:2017662 matches on "X-Sinkholed-Domain:" - which smells very similar to
my "X-Sinkhole-Webhost:" idea, so it could be that some sinkholes do it - but not all?


kinda looks that way ;)

FWIW: i can think of three that are providing sinkholes... microsoft, google and 
at least one AV group... sophos i think but not sure... it would be nice if 
there was a listing of sinkholes and what domains they are sinkholeing... i know 
that others have run afoul of xome when they've sinkholed IPs that were already 
sinkholed... m$ has at least twice...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com


------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: