[Oisf-users] About rules 2011410 and 2012956

Victor Julien lists at inliniac.net
Thu Apr 5 14:48:51 UTC 2018 

On 05-04-18 16:44, C. L. Martinez wrote:
> Hi all,
> 
>  I am seeing a strange behavior with rules 2011410 and 2012956. When I try:
> 
>> alberta.cz.cc <http://alberta.cz.cc>
> Server:         127.0.0.1
> Address:        127.0.0.1#53
> 
> Non-authoritative answer:
> alberta.cz.cc <http://alberta.cz.cc>   canonical name = pk.22.cn
> <http://pk.22.cn>.
> Name:   pk.22.cn <http://pk.22.cn>
> Address: 0.0.0.0
> 
>  ... no alert is triggered. But when I try:
> 
>> alberta.co.tv <http://alberta.co.tv>
> Server:         127.0.0.1
> Address:        127.0.0.1#53
> 
> ** server can't find alberta.co.tv <http://alberta.co.tv>: NXDOMAIN
> 
>  alert is triggered:
> 
> 04/04/2018-18:20:58.297010  [**] [1:2012956:4] ET DNS DNS Query for a
> Suspicious *.co.tv <http://co.tv> domain [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {UDP} 172.22.55.1:25327
> <http://172.22.55.1:25327> -> 172.22.54.4:53 <http://172.22.54.4:53>
> 04/04/2018-18:20:59.321374  [**] [1:2012956:4] ET DNS DNS Query for a
> Suspicious *.co.tv <http://co.tv> domain [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {UDP} 172.22.55.1:43946
> <http://172.22.55.1:43946> -> 172.22.54.4:53 <http://172.22.54.4:53>
> 04/04/2018-18:21:00.352213  [**] [1:2012956:4] ET DNS DNS Query for a
> Suspicious *.co.tv <http://co.tv> domain [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {UDP} 172.22.55.1:37370
> <http://172.22.55.1:37370> -> 172.22.54.4:53 <http://172.22.54.4:53>
> 04/04/2018-18:21:02.392962  [**] [1:2012956:4] ET DNS DNS Query for a
> Suspicious *.co.tv <http://co.tv> domain [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {UDP} 172.22.55.1:38905
> <http://172.22.55.1:38905> -> 172.22.54.4:53 <http://172.22.54.4:53>
> 04/04/2018-18:21:04.433926  [**] [1:2012956:4] ET DNS DNS Query for a
> Suspicious *.co.tv <http://co.tv> domain [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {UDP} 172.22.55.1:23993
> <http://172.22.55.1:23993> -> 172.22.54.4:53 <http://172.22.54.4:53>
> 
>  Why?? Both rules are defined equally:
> 
> alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for Suspicious
> .cz.cc Domain"; dns_query; content:".cz.cc"; isdataat:!1,relative;
> nocase; reference:url,sign.kaffenews.com/?p=104
> <http://sign.kaffenews.com/?p=104>; classtype:bad-unknown; sid:2011410;
> rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
> 
> alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for a
> Suspicious *.co.tv <http://co.tv> domain"; dns_query; content:".co.tv
> <http://co.tv>"; nocase; isdataat:!1,relative; classtype:bad-unknown;
> sid:2012956; rev:4; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
> 
>  I am using Suricata 4.0.4 under FreeBSD 11.1.

Can you share a pcap?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list