Re: Snort SID Help 1:28039:5

[Vincent Zhen <vincent.zhen () nyu edu>]

Bunch of returns on the rule:

https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=pw%20dns%20query

Rule seems to suggest that someone is making a DNS request to a Palau
domain (along UDP/53). In the payload, it looks for:
1. Does NOT have "[Start of Header]u[Start of Text]pw" anywhere
2. Query header has 24th and 48th bit set to 1. (Recursion desired and 1
query - everything else set to 0 barring the first 2 bytes which is the DNS
ID)
3. DOES have "[Start of Text]pw[NUL]" after the headers of the DNS query.

Ref: http://www.networksorcery.com/enp/protocol/dns.htm

Disclaimer: I'm new to snort sigs. This is what I figure it means but I'm
in no way an authority on how they work. Please correct me if I'm wrong!

On Fri, Mar 11, 2016 at 10:36 AM, Joel Esler (jesler) <jesler () cisco com>
wrote:

> Looks like it's a dns lookup for the .pw tld.  Generally speaking a place
> of bad things.  More details would help us.
>
> --
> Joel Esler
> iPhone
>
> On Mar 11, 2016, at 10:25 AM, Matt Brichetto <M_Brichetto () cuinterface com>
> wrote:
>
> Hello Fellow Snort Users,
>
>
>
> I get the following alert below on a LAN to LAN address. Everyone once and
> awhile we get this, but there seems to be no info on the rule. Has this
> rule been deprecated or something along those lines. I really don’t know
> how to troubleshoot this or if it is a false positive.
>
>
>
>
>
>
>
>
>
> EVENT # :
>
> 172511
>
> EVENTLOG :
>
> Application
>
> *EVENT TYPE :*
>
> *WARNING (2)*
>
> SOURCE :
>
> snort
>
> EVENT ID :
>
> 1
>
> TIME :
>
> 3/11/2016 9:25:55 AM
>
> MESSAGE :
>
> [1:28039:5] INDICATOR-COMPROMISE Suspicious .pw dns query [Classification:
> A Network Trojan was Detected] [Priority: 1] {UDP} 192.168.22.16:17159 ->
> 192.168.22.4:53
>
>
>
>
>
> Thanks,
>
>
>
> *Matt Brichetto*
> Network Administrator
>
>
>
>
>
>   ­­
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Vincent Zhen
Network Security Analyst, NYU Technology Security Services
New York University
726 Broadway, New York, NY 10003

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!