Re: FP ET RBN Known Russian Business Network IP UDP
Thierry, I too have noticed this and I use a sed recipe to do this exact
thing; not trigger on DNS traffic. I've had some instances where known
DNS providers like eNOM/GoDaddy were classified as RBN or Bot C&C. This
causes some definite issues regarding DNS. I am only doing this for UDP
53, not TCP 53, since I want to see AXFR/ IXFR.
If there isn't much contention in doing this it may be a good idea to
implement this against these rules.
#Do not block on DNS egress due to false positives and resolution failure.
/bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' ./emerging-rbn.rules
/bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' ./emerging-compromised.rules
/bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' ./emerging-botcc.rules
I'm laughing at the PS line. Curious, since you're French, is "Guise"
even a French name?
Thierry Chich wrote:
> I have an huge amount of alerts from these rules, mainly because of DNS
> traffic. It seems there is official DNS Servers in these networks. It
> seems to me that an alert shoudn't be triggered about a dns request
> towards these networks. Even if it could be interpreted as the symptom
> of a compromised host, it is really difficult to find it, since there
> can be a lot of dns forwarders involved.
> I suggest that this kind of rules take !53 as destination port.
> Thierry Chich
> PS: Don't forget, I am not the sourcefire troll. My english grammar is
> really poor, and I am really french. It is not a clever ruse.
> Emerging-sigs mailing list
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards