[Oisf-users] ET TROJAN DNS Reply Sinkhole - Anubis -

Travis Green travis at travisgreen.net
Tue Jan 15 16:20:34 UTC 2019

Jordon, I can't think of any way to filter alerts generated by a DNS server
based on which client is querying it. According to Joao G, this particular
IP range is used for active investigations and often legitimate domains get
sinkholed to this range (ref:
you may want to disable this signature.


On Tue, Jan 15, 2019 at 8:12 AM Jordon Carpenter <
jordon.carpenter at rooksecurity.com> wrote:

> Team,
> This signature:
> ET TROJAN DNS Reply Sinkhole - Anubis -
> is generating a ton of alerts from a BYOD network in which I do not care
> about at this time. Is there anyway we can pass traffic related to a BYOD
> network even though this signature is identifying the source as a DNS
> server(which I do not want to suppress)?
> *Thanks,Jordon Carpenter*
> Rook Security <https://www.rooksecurity.com/>
> *Anticipate, Manage, & Eliminate Threats*
> O: 888.712.9531 x734 <(888)%20712-9531>
> E: jordon.carpenter at rooksecurity.com
> [image: rookteam] <https://www.facebook.com/rookteam>    [image:
> rooksecurity] <https://twitter.com/rooksecurity>    [image: Rook LinkedIn]
> <https://www.linkedin.com/company/rook-security>
> This e-mail may contain confidential and privileged material for the sole
> use of the intended recipient. Any review, use, distribution or disclosure
> by others is strictly prohibited. If you are not the intended recipient (or
> authorized to receive for the recipient), please contact the sender by
> reply e-mail and delete all copies of this message.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190115/cafe42a0/attachment.html>

More information about the Oisf-users mailing list