Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule 3:30881

From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 20 Oct 2016 16:13:34 -0700
So for this type of rule, for the clients I have been working with, I tell
them that there isn't a great way to filter this.  It's looking for everly
long DNS queries, which rack space providers offer and while it can be
assumed that someone doing malware things wouldn't use
computername.ip.info.amazon.aws  (or some other long dns exfiltration
scheme).. it should be able to exclude CDNs and some AWS domains.. just
knowing that you might be opening it up to other things.

I have been thinking about how to do other things in order to prevent FPs,
but I couldn't come up with anything that could also be used by the bad
guys.  As people use more cloud based services, this is going to become
harder to use.  A better option might be to just capture DNS queries and
quickly query that

On Thu, Oct 20, 2016 at 7:05 AM, James Lay <jlay () slave-tothe-box net> wrote:


Rule:
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns
request with long host name segment - possible data exfiltration
attempt"; sid:30881; gid:3; rev:4; classtype:attempted-recon; metadata:
engine shared, soid 3|30881, service dns;)

Hit
[3:30881:3] MALWARE-OTHER dns request with long host name segment -
possible data exfiltration attempt [Classification: Attempted
Information Leak] [Priority: 2] {UDP} x.x.x.x:64712 -> x.x.x.x:53

dns request
cat-server-lb-tus1gwynwapex01-368602537.us-east-1.elb.amazonaws.com

I'm hoping you folks can look at this instead of myself just blindly
event_filtering this rule.  Thank you.

James

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: