Snort mailing list archives
Re: indicator DNS queries
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 8 Dec 2017 14:04:50 +0000
Please keep the posts on the list. I’m not sure if you are asking or thinking out loud. Either way, probably no one can help you answer that question, but you. That’s why I stressed “your environment” in my previous response. ________________________________ From: Weissenburger, Steve <scweissen () tegna com> Sent: Friday, December 8, 2017 4:26:07 PM To: Y M Subject: RE: [Snort-sigs] indicator DNS queries Thanks for the response…now how to find the queries from our internal hosts. From: Y M [mailto:snort () outlook com] Sent: Thursday, December 07, 2017 2:53 PM To: Weissenburger, Steve <scweissen () tegna com>; snort-sigs () lists snort org Subject: Re: [Snort-sigs] indicator DNS queries *External Email – Be Suspicious of Attachments, Links and Requests for Login Information* These rules detect DNS queries generated from the protected/home network to domain(s) ending with top-level domains (TLD) “win”, “top”, and “tk”. Depending on your environment, domains under these TLDs might be suspicious, specifically the ones with “win” and “top”. You need to identify the sources of these queries (obviously not the DNS servers, but the clients requesting the domains) and determine their legitimacy based on your environment and security requirements. Most often, I have seen these originating from mail gateways due the sheer amount of spam sent from these domains. Your environment maybe different. ________________________________ From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> on behalf of Weissenburger, Steve <scweissen () tegna com<mailto:scweissen () tegna com>> Sent: Tuesday, December 5, 2017 8:44:53 PM To: snort-sigs () lists snort org<mailto:snort-sigs () lists snort org> Subject: [Snort-sigs] indicator DNS queries Hello, I’m being hit with these three snort rules and trying to find more info on what exactly these are doing but coming up empty. Can anyone provide more insight? I’m a snort newbie. Thanks, Steve INDICATOR-COMPROMISE Suspicious .win dns query (1:44077:1) INDICATOR-COMPROMISE Suspicious .top dns query (1:43687:1) INDICATOR-COMPROMISE Suspicious .tk dns query (1:39867:3)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- indicator DNS queries Weissenburger, Steve (Dec 07)
- Re: indicator DNS queries Y M via Snort-sigs (Dec 07)
- Message not available
- Re: indicator DNS queries Y M via Snort-sigs (Dec 08)
- Message not available
- Re: indicator DNS queries Y M via Snort-sigs (Dec 07)