[Emerging-Sigs] Spyware DNS

Matt Jonkman jonkman at jonkmans.com
Thu Feb 21 10:32:58 EST 2008 

That's a good point James. There could be dns based C&C going there.

Maybe run snort with the IP of your listener defined as an external_net.
That'll help at least.

Matt

James Pleger wrote:
> The only thing that I would be concerned about is udp and non http
> traffic wouldn't get logged. I did see a udp based C&C about a year ago
> that was using encrypted udp/53 for outbound C&C communications.
> 
> --James
> 
> On Thu, Feb 21, 2008 at 7:55 AM, Matt Jonkman <jonkman at jonkmans.com
> <mailto:jonkman at jonkmans.com>> wrote:
> 
>     I'd save your effort there. Redirect them to a local listening apache
>     and use it's logs. You can also config a custumlog to record the domain
>     name they went for, capture the data posted, full URL, user-agent, the
>     whole deal.
> 
>     In the spyware listening post where folks are redirecting to us, I log
>     url, Useragent and domain and we use that data for feeding other lists
>     and writing new sigs. Quite useful.
> 
>     Matt
> 
>     Jim McQuaid wrote:
>     > "What the hit on the lookup indicates is that the dumass user clicked
>     > on something shiny, or has spyware installed, or visited a site that
>     > tried to do a driveby install."
>     >
>     > I have 113,000 objects blackholed, and cannot run the corresponding
>     > snort sigs without dedicating an entire box to it.  What I want is a
>     > DNS-generated entry in my IDS or firewall logs indicating the local
>     > machine that made the connection attempt, and the blacklisted object
>     > by name, and I want to do this without using Squid.  A succinct, plain
>     > text log would suffice.  So, I've retrieved my handful of DNS
>     > programming books.
>     >
>     > James McQuaid
>     >
>     >
>     >
> 
>     --
>     --------------------------------------------
>     Matthew Jonkman
>     Emerging Threats
>     Phone 765-429-0398
>     Fax 312-264-0205
>     http://www.emergingthreats.net
>     --------------------------------------------
> 
>     PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list