[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Help with Snort Processor
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists ! snort ! org>
Date: 2017-10-28 14:18:02
Message-ID: A2F94607-0835-4176-95A9-18639E67CF18 () cisco ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hello,
Can you send a sample of the traffic in pcap form?
Thanks.
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi@cisco.com<mailto:allewi@cisco.com>
From: Snort-users <snort-users-bounces@lists.snort.org<mailto:snort-users-bounces@lists.snort.org>> \
on behalf of Paul O'Brien via Snort-users \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Reply-To: Paul O'Brien <pdobrien3@gmail.com<mailto:pdobrien3@gmail.com>>
Date: Friday, October 27, 2017 at 9:40 AM
To: "Joel Esler (jesler)" <jesler@cisco.com<mailto:jesler@cisco.com>>
Cc: "snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>" \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: Re: [Snort-users] Help with Snort Processor
Aanval Alert (PROTOCOL-DNS domain not found containing random-looking hostname - \
possible DGA detected) The following alert was generated by the Aanval Intrusion \
Detection Console.
---
Timestamp: 10-27-2017 11:53:06
Risk Level: 1
Source IP: 24.25.5.61 : 53
Destination IP: 192.168.1.266 : 55886
Sensor: sensor01
Detected Event: PROTOCOL-DNS domain not found containing random-looking hostname - \
possible DGA detected (31738)
Detected Event Category: trojan-activity (21)
Aanval ID: 190559
Action ID: 1
---
Payload:
5072818300010000000100000A6D73672D7464692D6D640870756C73656D7373036E65740000010001C020 \
0006000100000384003D01610C67746C642D73657276657273C020056E73746C640C766572697369676E2D67727303636F6D0059F31002000007080000038400093A8000015180
---
This message was generated from the Aanval Intrusion Detection and Correlation \
Console. http://www.aanval.com/
---
Thanks,
Dan
"Better is a poor man who walks in his integrity than a rich man who is crooked in \
his ways." - Proverbs 28:6
Sent from my iPhone
On Oct 27, 2017, at 9:24 AM, Joel Esler (jesler) \
<jesler@cisco.com<mailto:jesler@cisco.com>> wrote:
That would be a good start.
--
Joel Esler | Talos: Manager | jesler@cisco.com<mailto:jesler@cisco.com>
On Oct 27, 2017, at 7:50 AM, Paul O'Brien \
<pdobrien3@gmail.com<mailto:pdobrien3@gmail.com>> wrote:
Thank you for the response Joel. I apologize for not being clear. I understand it is \
doing exactly what it is supposed to do but I am getting multiple text notifications \
a day whenever someone opens chrome. I am very new to this and more than happy to \
get you an example of the alert, just not sure what you are looking for. Just a \
copy/paste or something more involved?
Thanks,
Dan
"Better is a poor man who walks in his integrity than a rich man who is crooked in \
his ways." - Proverbs 28:6
Sent from my iPhone
On Oct 26, 2017, at 11:25 PM, Joel Esler (jesler) \
<jesler@cisco.com<mailto:jesler@cisco.com>> wrote:
It's not a preprocessor, this is a shared object rule, but it is doing exactly what \
it is supposed to do. Looking for random looking hostnames. Do you have an example \
of an alert?
--
Joel Esler | Talos: Manager | jesler@cisco.com<mailto:jesler@cisco.com>
On Oct 25, 2017, at 8:06 PM, Dan O'Brien via Snort-users \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>> wrote:
Good evening all,
Looking for some suggestions to quiet (PROTOCOL-DNS domain not found containing \
random-looking hostname - possible DGA detected). It goes off every time someone \
opens Chrome due to Chrome DNS prefetching. I disabled prefetching in Chrome but \
apparently it still does some things upon opening that cant be controlled in the \
settings.
Browser Startup
Chromium automatically remembers the first 10 domains that were resolved the last \
time the Chromium was started, and automatically starts to resolve these names very \
early in the startup process. As a result, the domains for a user's home page(s), \
along with any embedded domains (or anything the user "always" visits just after \
startup), are generally resolved before much of Chromium has ever loaded. When \
Chromium finally starts to try to load and render those pages, there is typically no \
DNS induced latency, and the application effectively "starts up" (becoming usable) \
faster. Average startup savings are 200ms or more, with common acceleration over 1 \
second.
Looking for ideas beyond disabling the rule. Thanks in advance.
Thanks,
Dan
"Better is a poor man who walks in his integrity than a rich man who is crooked in \
his ways." - Proverbs 28:6
Sent from my iPad
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org<mailto:Snort-users@lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the \
latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Courier, \
sans-serif;"> <div>
<div>Hello,</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>Can you send a \
sample of the traffic in pcap form?</div> <div><br>
</div>
<div>Thanks.</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div>
<p class="MsoNormal" style="font-family: -webkit-standard; margin: 0in 0in 0.0001pt; \
font-size: 11pt;"> <b><span style="font-size: 12pt; color: rgb(31, 73, 125);"><font \
face="Courier">Albert Lewis<o:p></o:p></font></span></b></p> <p class="MsoNormal" \
style="font-family: -webkit-standard; margin: 0in 0in 0.0001pt; font-size: 11pt;"> \
<font color="#7f7f7f">ENGINEER.SOFTWARE ENGINEERING</font></p> <p class="MsoNormal" \
style="font-family: -webkit-standard; margin: 0in 0in 0.0001pt; font-size: 11pt;"> \
<font face="Courier"><span style="color: rgb(153, 153, 153); font-size: \
12pt;">SOURCE</span><b><span style="font-size: 12pt; color: \
red;">fire</span></b><span style="color: rgb(153, 153, 153); font-size: 12pt;">, \
Inc. </span><span style="color: rgb(136, 136, 136); font-size: 12pt;">now part \
of </span><b><span style="font-size: 12pt;"><font \
color="#00007f">Cisco</font></span></b></font></p> <p class="MsoNormal" \
style="font-family: -webkit-standard; margin: 0in 0in 0.0001pt; font-size: 11pt;"> \
<font face="Courier"><span style="font-size: 12pt; color: rgb(153, 153, \
153);">Email: </span><span style="font-size: 12pt;"><a \
href="mailto:allewi@cisco.com" style="color: purple;">allewi@cisco.com</a><span \
style="color: rgb(79, 129, 189);"> </span></span></font></p> </div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; \
BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; \
PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: \
medium none; PADDING-TOP: 3pt"> <span style="font-weight:bold">From: \
</span>Snort-users <<a \
href="mailto:snort-users-bounces@lists.snort.org">snort-users-bounces@lists.snort.org</a>> \
on behalf of Paul O'Brien via Snort-users <<a \
href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>><br> \
<span style="font-weight:bold">Reply-To: </span>Paul O'Brien <<a \
href="mailto:pdobrien3@gmail.com">pdobrien3@gmail.com</a>><br> <span \
style="font-weight:bold">Date: </span>Friday, October 27, 2017 at 9:40 AM<br> <span \
style="font-weight:bold">To: </span>"Joel Esler (jesler)" <<a \
href="mailto:jesler@cisco.com">jesler@cisco.com</a>><br> <span \
style="font-weight:bold">Cc: </span>"<a \
href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>" \
<<a href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Snort-users] Help with Snort \
Processor<br> </div>
<div><br>
</div>
<span style="mso-bookmark:_MailOriginalBody">
<div>
<div dir="auto">
<div>Aanval Alert (PROTOCOL-DNS domain not found containing random-looking hostname - \
possible DGA detected)</div> <div>The following alert was generated by the Aanval \
Intrusion Detection Console.</div> <div>---</div>
<div><br>
</div>
<div>Timestamp: 10-27-2017 11:53:06</div>
<div><br>
</div>
<div>Risk Level: 1</div>
<div><br>
</div>
<div>Source IP: 24.25.5.61 : 53</div>
<div>Destination IP: 192.168.1.266 : 55886</div>
<div>Sensor: sensor01</div>
<div><br>
</div>
<div>Detected Event: PROTOCOL-DNS domain not found containing random-looking hostname \
- possible DGA detected (31738)</div> <div><br>
</div>
<div>Detected Event Category: trojan-activity (21)</div>
<div><br>
</div>
<div>Aanval ID: 190559</div>
<div>Action ID: 1</div>
<div>---</div>
<div>Payload:</div>
<div>5072818300010000000100000A6D73672D7464692D6D640870756C73656D7373036E6574000001000 \
1C0200006000100000384003D01610C67746C642D73657276657273C020056E73746C640C766572697369676E2D67727303636F6D0059F31002000007080000038400093A8000015180</div>
<div><br>
</div>
<div><br>
</div>
<div>---</div>
<div>This message was generated from the Aanval Intrusion Detection and Correlation \
Console.</div> <div><a href="http://www.aanval.com/">http://www.aanval.com/</a></div>
<div>---</div>
<div><br>
</div>
<br>
<div><span style="background-color: rgba(255, 255, 255, 0);">Thanks,<br>
Dan<br>
<br>
"Better is a poor man who walks in his integrity than a rich man who is crooked \
in his ways." - Proverbs 28:6<br> <br>
Sent from my iPhone</span></div>
<div><br>
On Oct 27, 2017, at 9:24 AM, Joel Esler (jesler) <<a \
href="mailto:jesler@cisco.com">jesler@cisco.com</a>> wrote:<br> <br>
</div>
<blockquote type="cite">That would be a good start.
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""> <div \
style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""> <div \
style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""> <div \
class=""><b style="font-family: Calibri, sans-serif; font-size: 10px;" class=""><font \
color="#5e5e5e" class="">--</font></b></div> <div style="font-size: 14px;" \
class=""><b style="font-family: Calibri, sans-serif; font-size: 12px;" class=""><font \
color="#5e5e5e" class="">Joel Esler </font></b><span style="font-family: \
Calibri, sans-serif; font-size: 12px;" class="">| </span><b style="font-family: \
Calibri, sans-serif; font-size: 12px;" class=""><font color="#0096ff" \
class="">Talos:</font></b><span style="font-family: Calibri, sans-serif; font-size: \
12px;" class=""> M</span><font color="#424242" style="font-family: Calibri, \
sans-serif; font-size: 12px;" class="">anager | <a \
href="mailto:jesler@cisco.com" class="">jesler@cisco.com</a></font></div> <div \
class=""><font color="#424242" style="font-family: Calibri, sans-serif; font-size: \
10px;" class=""><br class=""> </font></div>
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
<br class="Apple-interchange-newline">
</div>
<div style=""><br class="">
<blockquote type="cite" class="">
<div class="">On Oct 27, 2017, at 7:50 AM, Paul O'Brien <<a \
href="mailto:pdobrien3@gmail.com" class="">pdobrien3@gmail.com</a>> wrote:</div> \
<br class="Apple-interchange-newline"> <div class="">
<div dir="auto" class="">Thank you for the response Joel. I apologize for not being \
clear. I understand it is doing exactly what it is supposed to do but I am getting \
multiple text notifications a day whenever someone opens chrome. I am very new \
to this and more than happy to get you an example of the alert, just not sure what \
you are looking for. Just a copy/paste or something more involved?<br class=""> <br \
class=""> <div class=""><span style="background-color: rgba(255, 255, 255, 0);" \
class="">Thanks,<br class=""> Dan<br class="">
<br class="">
"Better is a poor man who walks in his integrity than a rich man who is crooked \
in his ways." - Proverbs 28:6<br class=""> <br class="">
Sent from my iPhone</span></div>
<div class=""><br class="">
On Oct 26, 2017, at 11:25 PM, Joel Esler (jesler) <<a \
href="mailto:jesler@cisco.com" class="">jesler@cisco.com</a>> wrote:<br class=""> \
<br class=""> </div>
<blockquote type="cite" class="">
<div class="">It's not a preprocessor, this is a shared object rule, but it is doing \
exactly what it is supposed to do. Looking for random looking hostnames. \
Do you have an example of an alert? <div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<div style="letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; \
line-break: after-white-space;" class=""> <div style="letter-spacing: normal; \
text-align: start; text-indent: 0px; text-transform: none; white-space: normal; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; line-break: after-white-space;" class=""> <div \
style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: \
none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" \
class=""> <div class=""><b style="font-family: Calibri, sans-serif; font-size: 10px;" \
class=""><font color="#5e5e5e" class="">--</font></b></div> <div style="font-size: \
14px;" class=""><b style="font-family: Calibri, sans-serif; font-size: 12px;" \
class=""><font color="#5e5e5e" class="">Joel Esler </font></b><span \
style="font-family: Calibri, sans-serif; font-size: 12px;" class="">| </span><b \
style="font-family: Calibri, sans-serif; font-size: 12px;" class=""><font \
color="#0096ff" class="">Talos:</font></b><span style="font-family: Calibri, \
sans-serif; font-size: 12px;" class=""> M</span><font color="#424242" \
style="font-family: Calibri, sans-serif; font-size: 12px;" class="">anager | <a \
href="mailto:jesler@cisco.com" class="">jesler@cisco.com</a></font></div> <div \
class=""><font color="#424242" style="font-family: Calibri, sans-serif; font-size: \
10px;" class=""><br class=""> </font></div>
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
<br class="Apple-interchange-newline">
</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On Oct 25, 2017, at 8:06 PM, Dan O'Brien via Snort-users <<a \
href="mailto:snort-users@lists.snort.org" \
class="">snort-users@lists.snort.org</a>> wrote:</div> <br \
class="Apple-interchange-newline"> <div class="">
<div dir="auto" class="">Good evening all,
<div class=""><br class="">
</div>
<div class="">Looking for some suggestions to quiet (PROTOCOL-DNS domain not found \
containing random-looking hostname - possible DGA detected). It goes off every \
time someone opens Chrome due to Chrome DNS prefetching. I disabled prefetching in \
Chrome but apparently it still does some things upon opening that cant be controlled \
in the settings. </div> <div class=""><br class="">
</div>
<h2 class=""><font size="3" class=""><span style="background-color: rgba(255, 255, \
255, 0);" class=""><b class="">Browser Startup</b><br class=""> </span></font></h2>
<div class=""><span style="background-color: rgba(255, 255, 255, 0);" \
class="">Chromium automatically remembers the first 10 domains that were resolved the \
last time the Chromium was started, and automatically starts to resolve these \
names <b class="">very</b> early in the startup process. As a \
result, the domains for a user's home page(s), along with any embedded domains (or \
anything the user "always" visits just after startup), are generally \
resolved before much of Chromium has ever loaded. When Chromium finally starts \
to try to load and render those pages, there is typically no DNS induced latency, and \
the application effectively "starts up" (becoming usable) faster. \
Average startup savings are 200ms or more, with common acceleration over 1 \
second.</span></div> <div class=""><br class="">
</div>
<div class="">Looking for ideas beyond disabling the rule. Thanks in \
advance. <br class=""> <br class="">
<div class="">
<div style="margin: 0in 0in 0.0001pt;" class=""><span style="background-color: \
rgba(255, 255, 255, 0);" class="">Thanks,<o:p class=""></o:p></span></div> <div \
style="margin: 0in 0in 0.0001pt;" class=""><span style="background-color: rgba(255, \
255, 255, 0);" class="">Dan</span></div> <div style="margin: 0in 0in 0.0001pt;" \
class=""><span style="background-color: rgba(255, 255, 255, 0);" class=""><br \
class=""> "Better is a poor man who walks in his integrity than a rich man who \
is crooked in his ways." - Proverbs 28:6</span></div> <div style="margin: 0in \
0in 0.0001pt;" class=""><span style="background-color: rgba(255, 255, 255, 0);" \
class=""><br class=""> </span></div>
<div style="margin: 0in 0in 0.0001pt;" class=""><span style="background-color: \
rgba(255, 255, 255, 0);" class="">Sent from my iPad</span></div> </div>
</div>
</div>
_______________________________________________<br class="">
Snort-users mailing list<br class="">
<a href="mailto:Snort-users@lists.snort.org" \
class="">Snort-users@lists.snort.org</a><br class=""> Go to this URL to change user \
options or unsubscribe:<br class=""> <a \
href="https://lists.snort.org/mailman/listinfo/snort-users" \
class="">https://lists.snort.org/mailman/listinfo/snort-users</a><br class=""> <br \
class=""> Please visit <a href="http://blog.snort.org/" \
class="">http://blog.snort.org</a> to stay current on all the latest Snort news!<br \
class=""> <br class="">
Please follow these rules: <a \
href="https://snort.org/faq/what-is-the-mailing-list-etiquette" class=""> \
https://snort.org/faq/what-is-the-mailing-list-etiquette</a><br class=""> </div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
</div>
</div>
</span></span>
</body>
</html>
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
--===============3364209327525458139==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic