[Oisf-users] About rules 2011410 and 2012956

C. L. Martinez carlopmart at gmail.com
Thu Apr 5 14:44:49 UTC 2018 

 Hi all,

 I am seeing a strange behavior with rules 2011410 and 2012956. When I try:

> alberta.cz.cc
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
alberta.cz.cc   canonical name = pk.22.cn.
Name:   pk.22.cn
Address: 0.0.0.0

 ... no alert is triggered. But when I try:

> alberta.co.tv
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find alberta.co.tv: NXDOMAIN

 alert is triggered:

04/04/2018-18:20:58.297010  [**] [1:2012956:4] ET DNS DNS Query for a
Suspicious *.co.tv domain [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {UDP} 172.22.55.1:25327 -> 172.22.54.4:53
04/04/2018-18:20:59.321374  [**] [1:2012956:4] ET DNS DNS Query for a
Suspicious *.co.tv domain [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {UDP} 172.22.55.1:43946 -> 172.22.54.4:53
04/04/2018-18:21:00.352213  [**] [1:2012956:4] ET DNS DNS Query for a
Suspicious *.co.tv domain [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {UDP} 172.22.55.1:37370 -> 172.22.54.4:53
04/04/2018-18:21:02.392962  [**] [1:2012956:4] ET DNS DNS Query for a
Suspicious *.co.tv domain [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {UDP} 172.22.55.1:38905 -> 172.22.54.4:53
04/04/2018-18:21:04.433926  [**] [1:2012956:4] ET DNS DNS Query for a
Suspicious *.co.tv domain [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {UDP} 172.22.55.1:23993 -> 172.22.54.4:53

 Why?? Both rules are defined equally:

alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for Suspicious
.cz.cc Domain"; dns_query; content:".cz.cc"; isdataat:!1,relative; nocase;
reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown;
sid:2011410; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for a Suspicious
*.co.tv domain"; dns_query; content:".co.tv"; nocase; isdataat:!1,relative;
classtype:bad-unknown; sid:2012956; rev:4; metadata:created_at 2011_06_08,
updated_at 2011_06_08;)

 I am using Suricata 4.0.4 under FreeBSD 11.1.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180405/b2271c55/attachment.html>

More information about the Oisf-users mailing list