Re: 45907 FP

["Nicholas Mavis \(nmavis\) via Snort-sigs" <snort-sigs () lists snort org>]

Hey James,

Good to see you on the list again.

Detecting flow direction can be difficult for DNS rules but I think this rule should be "$HOME_NET any -> any 53" to 
cover requests to both internal and external DNS servers originating from your network.

I'm going to make a revision to this rule for you.

Thanks,
Nick Mavis
Sr. Research Engineer, Talos
________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of James Lay via Snort-sigs <snort-sigs () lists 
snort org>
Sent: Sunday, May 24, 2020 7:06 AM
To: Snort-Sigs <snort-sigs () lists snort org>
Subject: [Snort-sigs] 45907 FP

Seen about 5 of these starting on the 15th...this is an incoming request for aaa[.]stage[.]no[.]offense from 
212.92.125.191:

05/24-10:02:05.674357  [**] [1:45907:1] MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record [**] [Classification: 
A Network Trojan was Detected] [Priority: 1] {UDP} 212.92.124.191:41900 -> x.x.x.x:53

James

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!