Re: [Snort-sigs] BOTNET-CNC Possible host infection - excessive DNS queries for .eu

From: Joel Esler <jesler_at_nospam>
Date: Mon Mar 12 2012 - 15:59:46 GMT
To: Martin Holste <mcholste@gmail.com>

Are you running this rule and seeing false positives?

On Mar 12, 2012, at 11:46 AM, Martin Holste wrote:

> My point was that you should probably use at least !$SMTP_SERVERS for
> the srcip. I can definitely understand not wanting to also add
> !$DNS_SERVERS since a compromised client could (will?) be using the
> org's DNS servers to do the lookups. In any case, it's clear that the
> rule is more for demonstrative purposes than anything, but that's why
> I wanted to raise the point regarding some of the pitfalls of
> detection_filter based rules for any new rule-writers out there.
>
> On Mon, Mar 12, 2012 at 10:27 AM, Joel Esler <jesler@sourcefire.com> wrote:
>> On Mon, Mar 12, 2012 at 11:21 AM, Community Signatures
>> <lists@packetmail.net> wrote:
>>>
>>> On 03/12/12 10:14, Martin Holste wrote:
>>>> The sig, as written, will false like crazy on any medium or large
>>>> sized network because it does not take into account DNS servers or
>>>> SMTP servers (or spam gateways) which do a lot of DNS lookups.
>>>
>>> I dunno, "detection_filter:track by_src, count 100, seconds 10;" -- even
>>> in this high volume networks I would tend to agree that 10
>>> queries/second is suspicious when 100 after 10 seconds is reached.
>>>
>>
>> We've had one report of a false positive on a rule similar to this as a
>> result of Chrome doing pre-fetching on certain sites (.ru, not .eu) so I am
>> sure it could happen. If there are 100 external links NOT with the same
>> domain name on a single page.
>>
>> This is an indicator of compromise. In the new rule category system:
>> http://blog.snort.org/2012/03/rule-category-reorganization.html
>>
>> This will go in INDICATOR-COMPROMISE
>>
>>
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>>
>>

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

This message: [ Message body ]
Next message: Joel Esler: "Re: [Snort-sigs] Only an empty Alert file :("
Previous message: Martin Holste: "Re: [Snort-sigs] BOTNET-CNC Possible host infection - excessive DNS queries for .eu"
In reply to: Martin Holste: "Re: [Snort-sigs] BOTNET-CNC Possible host infection - excessive DNS queries for .eu"
Next in thread: Martin Holste: "Re: [Snort-sigs] BOTNET-CNC Possible host infection - excessive DNS queries for .eu"
Reply: Martin Holste: "Re: [Snort-sigs] BOTNET-CNC Possible host infection - excessive DNS queries for .eu"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]