Snort mailing list archives
Re: Suspicious DNS rule
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Wed, 1 Aug 2018 15:07:15 -0400
On Tue, Jul 31, 2018 at 1:16 PM, James Lay via Snort-sigs < snort-sigs () lists snort org> wrote:
So ok....I got three samples, two agent telsa, one formbook, all exhibit the following: list of samples on any_run: https://app.any.run/tasks/33d3e229-fba7-476b-8ec9-7464eacb1ca3 https://app.any.run/tasks/6d9371e7-249b-47d1-bbbb-cf66dd34e30b https://app.any.run/tasks/065b87cb-a6d3-4dc7-a06f-a893281b4263 these request show up funky: my only guess is a specific packer is calling out as the three samples are all .NET. Anyway sig below: alert udp $HOME_NET any -> any 53 (msg:"Suspicious DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00 02 ca b1 03 6f 72 67 00|"; fast_pattern:only; classtype:trojan-activity; sid:XXXXXX; rev:1; metadata:created_at 2018_07_31;) if someone has any more insight I'd love to know what this really is. Thank you. James
Hi James, This looks interesting! Thanks for your submission and we'll get this rolled into our testing process and get back to you. Thanks again! -- Marcos Rodriguez Cisco Talos
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Suspicious DNS rule James Lay via Snort-sigs (Jul 31)
- Re: Suspicious DNS rule Marcos Rodriguez (Aug 01)
- Re: [Emerging-Sigs] Suspicious DNS rule Y M via Snort-sigs (Aug 01)
- Re: [Emerging-Sigs] Suspicious DNS rule James Lay via Snort-sigs (Aug 02)
- Re: Suspicious DNS rule James Lay via Snort-sigs (Aug 16)