[Emerging-Sigs] 2 Sigs: SCAN & DYNAMIC_DNS
rmkml at free.fr
Tue Oct 4 08:23:03 EDT 2011
Thx you very much for all posted rules.
Do you have tested a first rule please? because 'http_header' need a correct header and if not: Im not sure snort firing?
Do you have a pcap?
On Tue, 4 Oct 2011, Kevin Ross wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Toata Scanner/Invalid Double HTTP in Header Detected"; flow:established,to_server; content:"HTTP/1.1|20|HTTP/1.1"; http_header; threshold: type limit, count 1,
> seconds 60, track by_src; classtype:attempted-recon; reference:url,isc.sans.org/diary.html?storyid=5599; classtype:attempted-recon; sid:1231991; rev:1;)
> # Starting to see more and in sandnet
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DYNAMIC_DNS Query for no-ip Dynamic DNS Domain - Possibly Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|no-ip|03|";
> distance:0; fast_pattern; classtype:misc-activity; sid:1231992; rev:1;)
> Regards, Kevin
More information about the Emerging-sigs