[Emerging-Sigs] Spyware DNS
Markus Lude
markus.lude at gmx.de
Thu Feb 21 13:34:34 EST 2008
On Thu, Feb 21, 2008 at 08:21:31AM -0700, James Pleger wrote:
> The only thing that I would be concerned about is udp and non http traffic
> wouldn't get logged. I did see a udp based C&C about a year ago that was
> using encrypted udp/53 for outbound C&C communications.
We have one with an emule client which used 53/udp.
Regards,
Markus
> On Thu, Feb 21, 2008 at 7:55 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>
> > I'd save your effort there. Redirect them to a local listening apache
> > and use it's logs. You can also config a custumlog to record the domain
> > name they went for, capture the data posted, full URL, user-agent, the
> > whole deal.
> >
> > In the spyware listening post where folks are redirecting to us, I log
> > url, Useragent and domain and we use that data for feeding other lists
> > and writing new sigs. Quite useful.
> >
> > Matt
> >
> > Jim McQuaid wrote:
> > > "What the hit on the lookup indicates is that the dumass user clicked
> > > on something shiny, or has spyware installed, or visited a site that
> > > tried to do a driveby install."
> > >
> > > I have 113,000 objects blackholed, and cannot run the corresponding
> > > snort sigs without dedicating an entire box to it. What I want is a
> > > DNS-generated entry in my IDS or firewall logs indicating the local
> > > machine that made the connection attempt, and the blacklisted object
> > > by name, and I want to do this without using Squid. A succinct, plain
> > > text log would suffice. So, I've retrieved my handful of DNS
> > > programming books.
> > >
> > > James McQuaid
> > >
> > >
> > >
> >
> > --
> > --------------------------------------------
> > Matthew Jonkman
> > Emerging Threats
> > Phone 765-429-0398
> > Fax 312-264-0205
> > http://www.emergingthreats.net
> > --------------------------------------------
> >
> > PGP: http://www.jonkmans.com/mattjonkman.asc
> >
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
More information about the Emerging-sigs
mailing list