[Emerging-Sigs] Spyware DNS

Matt Jonkman jonkman at jonkmans.com
Thu Feb 21 09:51:03 EST 2008 

I think you're on track there. But My recommendation is to keep snort
out of the mix. Easier to have a listening apache instance somewhere
logging all hits that you redirect via dns to a local IP.

But I suppose it'd be useful to have snort alert on hits to that
listening apache like James recommends, for timely notification.

But this all assumes you have the ability to add the domains to your
local dns, which not everyone can do.

Matt

James Pleger wrote:
> Can't you just resolve all of your blackholed DNS to a specific response
> that you can create an IDS signature for? It would require having the
> ids between the DNS servers and the clients, but wouldn't it be a bit
> easier?
> 
> It is a bit late, so my thoughts may be scattered on what you are trying
> to get done :P
> 
> --James
> 
> On Wed, Feb 20, 2008 at 9:49 PM, Jim McQuaid <jim.mcquaid at gmail.com
> <mailto:jim.mcquaid at gmail.com>> wrote:
> 
>     "What the hit on the lookup indicates is that the dumass user clicked
>     on something shiny, or has spyware installed, or visited a site that
>     tried to do a driveby install."
> 
>     I have 113,000 objects blackholed, and cannot run the corresponding
>     snort sigs without dedicating an entire box to it.  What I want is a
>     DNS-generated entry in my IDS or firewall logs indicating the local
>     machine that made the connection attempt, and the blacklisted object
>     by name, and I want to do this without using Squid.  A succinct, plain
>     text log would suffice.  So, I've retrieved my handful of DNS
>     programming books.
> 
>     James McQuaid
> 
> 
> 
>     --
>     James McQuaid
>     http://www.jamesmcquaid.com
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list