Snort mailing list archives
BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net
From: Travis McWaters <travis.mcwaters+snort-sigs () gmail com>
Date: Thu, 17 Nov 2016 16:28:13 -0600
Looking over the DNS related signatures today, I noticed two signatures for the same domain: alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Backoff"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|143biz|02|cc|05|md-14|0A|webhostbox|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url, www.virustotal.com/en/url/b7aac87f8be38de5a35efac918c577380f229d461c5d7567bd5842b71d252523/analysis/; classtype:trojan-activity; sid:32446; rev:1; ) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Soraya"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|143biz|02|cc|05|md-14|0A|webhostbox|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url, www.virustotal.com/en/domain/143biz.cc.md-14.webhostbox.net/information/; classtype:trojan-activity; sid:31226; rev:1; ) The only difference seems to be the reference metadata and the message (Win.Trojan.Backoff vs Win.Trojan.Soraya) Thought I'd point it out and suggest possibly combining them. Thanks, Travis
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net Travis McWaters (Nov 17)