[Oisf-users] About rules 2011410 and 2012956
Victor Julien
lists at inliniac.net
Thu Apr 5 14:48:51 UTC 2018
On 05-04-18 16:44, C. L. Martinez wrote:
> Hi all,
>
> I am seeing a strange behavior with rules 2011410 and 2012956. When I try:
>
>> alberta.cz.cc <http://alberta.cz.cc>
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Non-authoritative answer:
> alberta.cz.cc <http://alberta.cz.cc> canonical name = pk.22.cn
> <http://pk.22.cn>.
> Name: pk.22.cn <http://pk.22.cn>
> Address: 0.0.0.0
>
> ... no alert is triggered. But when I try:
>
>> alberta.co.tv <http://alberta.co.tv>
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> ** server can't find alberta.co.tv <http://alberta.co.tv>: NXDOMAIN
>
> alert is triggered:
>
> 04/04/2018-18:20:58.297010 [**] [1:2012956:4] ET DNS DNS Query for a
> Suspicious *.co.tv <http://co.tv> domain [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {UDP} 172.22.55.1:25327
> <http://172.22.55.1:25327> -> 172.22.54.4:53 <http://172.22.54.4:53>
> 04/04/2018-18:20:59.321374 [**] [1:2012956:4] ET DNS DNS Query for a
> Suspicious *.co.tv <http://co.tv> domain [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {UDP} 172.22.55.1:43946
> <http://172.22.55.1:43946> -> 172.22.54.4:53 <http://172.22.54.4:53>
> 04/04/2018-18:21:00.352213 [**] [1:2012956:4] ET DNS DNS Query for a
> Suspicious *.co.tv <http://co.tv> domain [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {UDP} 172.22.55.1:37370
> <http://172.22.55.1:37370> -> 172.22.54.4:53 <http://172.22.54.4:53>
> 04/04/2018-18:21:02.392962 [**] [1:2012956:4] ET DNS DNS Query for a
> Suspicious *.co.tv <http://co.tv> domain [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {UDP} 172.22.55.1:38905
> <http://172.22.55.1:38905> -> 172.22.54.4:53 <http://172.22.54.4:53>
> 04/04/2018-18:21:04.433926 [**] [1:2012956:4] ET DNS DNS Query for a
> Suspicious *.co.tv <http://co.tv> domain [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {UDP} 172.22.55.1:23993
> <http://172.22.55.1:23993> -> 172.22.54.4:53 <http://172.22.54.4:53>
>
> Why?? Both rules are defined equally:
>
> alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for Suspicious
> .cz.cc Domain"; dns_query; content:".cz.cc"; isdataat:!1,relative;
> nocase; reference:url,sign.kaffenews.com/?p=104
> <http://sign.kaffenews.com/?p=104>; classtype:bad-unknown; sid:2011410;
> rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
>
> alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for a
> Suspicious *.co.tv <http://co.tv> domain"; dns_query; content:".co.tv
> <http://co.tv>"; nocase; isdataat:!1,relative; classtype:bad-unknown;
> sid:2012956; rev:4; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
>
> I am using Suricata 4.0.4 under FreeBSD 11.1.
Can you share a pcap?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list