[Emerging-Sigs] RBN-Blackhole evasion tactic

Matt Jonkman jonkman at jonkmans.com
Fri Feb 15 18:14:54 EST 2008 

Keep the ideas flowing, but I don't see multiple level domain names as
an indication of hostility. Any state website or county gov't in the US
is gonna be at least 5 levels deep, as are many legit sites. And
internal stuff, etc...

David Glosser wrote:
> Could there be a rule flagging any URL containing more than 4 or 5 levels?
> 
> _don't flag on:_
> trustedprotection.com
> ladies.trustedprotection.com
> bearded.ladies.trustedprotection.com
> 
> _but flag on:_
> heavily.bearded.ladies.trustedprotection.com,
> very.heavily.bearded.ladies.trustedprotection.com
> verification.ssl.matercardverification.index.asp.trustedprotection.com  
> <--phishing attempt
> 
> 
> 
> 
> On Feb 15, 2008 2:15 PM, Jack Pepper <pepperjack at afferentsecurity.com
> <mailto:pepperjack at afferentsecurity.com>> wrote:
> 
>     FWIW, here are 271 rules that look for wildcard DNS rules.  I just
>     enumeratred all the country codes and IANA TLDs to make this list.
> 
>     I am going to try it out and see if I get lots of bogus hits, or maybe
>     ... who knows.
> 
>     Feel free to give them a try, see what we find.
> 
>     If the attachment gets cut off for some reason, I put it on my
>     website at:
> 
>     http://www.autoshun.org/downloads/wildcard-dns.rules
> 
>     Let me know if anyone has suggestions.
> 
>     jp
> 
>     --
> 
>     Framework?  I don't need no stinking framework!
> 
>     ----------------------------------------------------------------
>     @fferent Security Labs:  Isolate/Insulate/Innovate
>     http://www.afferentsecurity.com
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list