Re: Suspicious DNS rule

[Marcos Rodriguez <mrodriguez () sourcefire com>]

On Tue, Jul 31, 2018 at 1:16 PM, James Lay via Snort-sigs <
snort-sigs () lists snort org> wrote:

> So ok....I got three samples, two agent telsa, one formbook, all exhibit
> the following:
>
> list of samples on any_run:
>
> https://app.any.run/tasks/33d3e229-fba7-476b-8ec9-7464eacb1ca3
> https://app.any.run/tasks/6d9371e7-249b-47d1-bbbb-cf66dd34e30b
> https://app.any.run/tasks/065b87cb-a6d3-4dc7-a06f-a893281b4263
>
> these request show up funky:
>
> my only guess is a specific packer is calling out as the three samples are
> all .NET.  Anyway sig below:
>
> alert udp $HOME_NET any -> any 53 (msg:"Suspicious DNS Request";
> content:"|01 00 00 01 00 00 00 00 00 00 02 ca b1 03 6f 72 67 00|";
> fast_pattern:only; classtype:trojan-activity; sid:XXXXXX; rev:1;
> metadata:created_at 2018_07_31;)
>
> if someone has any more insight I'd love to know what this really is.
> Thank you.
>
> James
Hi James,

This looks interesting!  Thanks for your submission and we'll get this
rolled into our testing process and get back to you.  Thanks again!

-- 
Marcos Rodriguez
Cisco Talos

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!