[Emerging-Sigs] 2 Sigs: SCAN & DYNAMIC_DNS

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 4 23:41:47 EDT 2011

On Oct 4, 2011, at 8:05 AM, Kevin Ross wrote:

> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Toata Scanner/Invalid Double HTTP in Header Detected"; flow:established,to_server; content:"HTTP/1.1|20|HTTP/1.1"; http_header; threshold: type limit, count 1, seconds 60, track by_src; classtype:attempted-recon; reference:url,isc.sans.org/diary.html?storyid=5599; classtype:attempted-recon; sid:1231991; rev:1;)

As rmkml noted this won't fire with http_header. But raw matching it ought to. 

But, the other sig for it does fire. 

But, this is an intersting oddity. I'll do a sig up just for the double http. That'll net us something interesting I bet!

> # Starting to see more and in sandnet
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DYNAMIC_DNS Query for no-ip Dynamic DNS Domain - Possibly Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|no-ip|03|"; distance:0; fast_pattern; classtype:misc-activity; sid:1231992; rev:1;)

Also adding an http request to no-ip.


> Regards, Kevin
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111004/69bda116/smime.bin

More information about the Emerging-sigs mailing list