Snort mailing list archives
Re: Need help to detect BOTNET-CNC Palevo bot DNS attack
From: Kevin Ross <kevross33 () googlemail com>
Date: Mon, 12 Dec 2011 14:01:54 +0000
What this sig is catching is queries for a known malicious command and control domain name. What you need to do is enable logging on your local DNS server and then search for the domain specific in the signature in those logs when you get hits to determine who is making them. You could also redirect the domain to another IP on your network and log who attempts to connect to that. Also if your firewall/ips lets you upload your own snort signatures then I would look at the emergingthreats.net rules in emerging-trojan, emerging-malware etc for any Palevo sigs (I would recommend running emergingthreats rules for the additional detection anyway). The domain you want to look for is butterfly.sinip.es Regards, Kevin Ross On 11 December 2011 16:53, babu dheen <babudheen () yahoo co in> wrote:
Dear James, Thanks for your response. Actually i have two query on your update. 1. You mentioned that since data content contains malicious code, this siganture fires, but i would like to update you that when this signature fires, source and destination IP showing DNS servers only (not infected client IP). Do you mean that when infected client makes DNS query to CNC botnet URL, DNS query itself contain malicious content? 2. If you consider any small company network, all internal machines would be pointed to company internal DNS server and internal DNS server will be pointed to ISP DNS server. So if this signature fires, will we never see true client IP address in any network? 3. Sorry, i am not familiar with snort signatures and hence i am not able to understand your query. I will be happy if you can provide more details on this. Regards Babu --- On *Sun, 11/12/11, James Lay <jlay () slave-tothe-box net>* wrote: From: James Lay <jlay () slave-tothe-box net> Subject: Re: [Snort-users] Need help to detect BOTNET-CNC Palevo bot DNS attack To: "Snort" <snort-users () lists sourceforge net> Date: Sunday, 11 December, 2011, 8:08 PM On Dec 11, 2011, at 12:23 AM, babu dheen wrote: Dear, We are using Astaro Firewall with IPS in pass through mode for last one year. We have been noticing many number of "BOTNET-CNC Palevo bot DNS request for C&C attempt" attack showing in IPS summery report wherein source address and destination address showing only DNS server which source address is my company internal DNS server and destination is ISP DNS server. We would like to find out the botnet infected clients which this IPS report shows. To help on this, we would like to know from which central URLs snort is downloading malware domains in its database so that we can refer the common URL against the DNS logs and find out the infected clients list. I need your valuable help and guidelines on this. Note: As you know, Astaro firewall is using Snort signature for IPS functionality. *Rule ID* *Rule Nmae* *Group* *Events* *16297* *BOTNET-CNC Palevo bot DNS request for C&C attempt* *Server* *1018* Regards Babu Look at the rule dude: alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BOTNET-CNC Palevo bot DNS request for C&C attempt"; flow:to_server; content:"butterfly|05|sinip|02|es"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url, www.virustotal.com/analisis/c790a26f38070632759f481a87ed60c1628dea723ad63577cfe373de6b81e0a7-1249566492; classtype:trojan-activity; sid:16297; rev:3;) Looks like it's not concerned with a list, but with data content. I'd turn on DNS logging on your internal server to find out which internal machines may be infected. Hope that helps. James -----Inline Attachment Follows----- ------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure -----Inline Attachment Follows----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<http://in.mc1373.mail.yahoo.com/mc/compose?to=Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Need help to detect BOTNET-CNC Palevo bot DNS attack babu dheen (Dec 11)
- Re: Need help to detect BOTNET-CNC Palevo bot DNS attack James Lay (Dec 11)
- Re: Need help to detect BOTNET-CNC Palevo bot DNSattack Jason Haar (Dec 12)
- Re: Need help to detect BOTNET-CNC Palevo bot DNSattack babu dheen (Dec 12)
- Re: Need help to detect BOTNET-CNC Palevo bot DNSattack Martin Holste (Dec 12)
- Re: Need help to detect BOTNET-CNC Palevo bot DNSattack babu dheen (Dec 13)
- Re: Need help to detect BOTNET-CNC Palevo bot DNSattack Martin Holste (Dec 13)
- Re: Need help to detect BOTNET-CNC Palevo bot DNSattack Jason Haar (Dec 12)
- Re: Need help to detect BOTNET-CNC Palevo bot DNS attack James Lay (Dec 11)
- Re: Need help to detect BOTNET-CNC Palevo bot DNS attack babu dheen (Dec 12)
- Re: Need help to detect BOTNET-CNC Palevo bot DNS attack babu dheen (Dec 12)
- Re: Need help to detect BOTNET-CNC Palevo bot DNS attack Kevin Ross (Dec 12)