[Emerging-Sigs] Spyware DNS rules

Matt Jonkman jonkman at jonkmans.com
Wed Feb 20 08:48:40 EST 2008 

Hey Jack, thanks for doing the rules back up. We hadn't been generating
them anymore since the move from bleeding over to emerging.

I have concerns with these rules for a few reasons.

1. The sheer number of rules is a significant load to snort. If you're
pushing any significant dns traffic this'll kill a sensor.

2. The list is only going to grow, and even faster in the near future as
we have our expanded intel gathering online now that's feeding David's list.

3. There's a much better way: Use the dnsbh as intended and redirect
infected clients to a local listener to log who's trying to connect to
what domains.

That said, emerging threats is all about catering to everyone in every
niche. And these rules will serve a purpose in a lot of places, I just
want to be clear that there's a more effective way, but am aware that
dns blackholing isn't always an option in all nets.

On the sid issues, here's what's allocated:

2410000-2419999 Spyware DNS Rules from the DNS Blackhole

as per http://doc.emergingthreats.net/bin/view/Main/SidAllocation

If you're going to keep this ruleset up lets give it a new range,
2600000-2699999. 100k sids ought to be more than enough.

I'll mirror the ruleset on ET as well.

Matt

Jack Pepper wrote:
 >> Finally, is there a way to identify the client machine in some way as
>> opposed to a DNS lookup?
>> I would be much more interested in knowing what client is contacting a
>> domain as opposed to my dns server...
> 
> The source address in the rule is the workstation that asked for the  
> domain.  The reason for the "!DNS_SERVERS" in the source column is  
> that DNS servers replicate, pass queries among themselves, etc which  
> generates hundreds of bogus hits.
> 
> MAIL servers ask for bogus DNS names all the time also, especially  
> when checking SPF records and stuff like that.  So I should probably  
> change the source field to be "[!SMTP_SERVERS,!DNS_SERVERS]".  Maybe  
> that's rev4 right there, eh?
> 
> But aside from DNS and SMTP servers, the source field will be the  
> workstation that asked for the domain.
> 
>>
>> On Feb 19, 2008 11:32 PM, Jack Pepper <pepperjack at afferentsecurity.com>
>> wrote:
>>
>>> Since I was the original author of the program that generated the
>>> spyware-dns rules on BT, I think this is a good time to rewrite it.
>>> There were several things I never liked about the old spyware-dns
>>> ruleset.
>>>
>>> I have put the ruleset on my personal site at:
>>> http://www.autoshun.org/downloads/bhdns.rules
>>>
>>> These rules are automatically generated once per day from the domains
>>> list at the Blackhole DNS project ( http://www.malwaredomains.com ).
>>>
>>> Matt:  We have a bit of a problem with the SID allocation.  The sid
>>> allocation sets aside 10000 sids for bhdns rules, but there are 17000+
>>> domains in the bhdns list.
>>>
>>> I have started counting from 2410001 which takes us up through
>>> sid=2427300.  How do you want to handle this?  I can regenerate the
>>> list to fit whatever range you think is good.  Let me know.
>>>
>>> David:  I did not put a license statement on the ruleset.  I was going
>>> to release under the BSD license, but I wasn't sure what kind of
>>> license you intended for the domains.txt file (since that is the
>>> source file for all the content).   The spyware dns ruleset feels like
>>> a derivative work to me, so are you OK with putting the BSD license on
>>> the ruleset?
>>>
>>>
>>> jp
>>> --
>>>
>>> Framework?  I don't need no steenking framework!
>>>
>>> ----------------------------------------------------------------
>>> @fferent Security Labs:  Isolate/Insulate/Innovate
>>> http://www.afferentsecurity.com
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
> 
> 
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list