Anyone ever had this alert before? ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26
2,553 views
Skip to first unread message
Jason Burrell
Apr 25, 2016, 12:31:31 PM4/25/16
to security-onion
ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26"; content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4; within:5; byte_test:1,>,224,0,relative; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2018455; rev:4;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26"; content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4; within:5; byte_test:1,>,224,0,relative; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2018455; rev:4;)
src: 54.72.8.183 and the dst: is our DNS server...
I can not figure what could be causing this to trigger. I found this article https://community.spiceworks.com/topic/887257-very-confusing-ids-alert after googling around. Could ELSA help me finding this possible virus? the DNS server comes up clean.
Shane Castle
Apr 25, 2016, 3:32:46 PM4/25/16
to securit...@googlegroups.com
A couple of comments. First, you don't say anything about your setup, like if
the DNS server is the one from which requests from your network go out to the
rest of the world. I ran a setup where we had internal DNS servers that
forwarded queries to DMZ-based DNS servers, and I only sniffed the traffic
between inside and the DMZ, between inside and outside, and between DMZ and
outside. I'd see responses like this, could trace the request to the inside
forwarder, but it stopped there because I was not sniffing traffic to the
internal DNS servers.
When I was doing this I did not have ELSA. I am not that good yet at using ELSA.
I'm sure you could construct queries that would show how the request started at
your DNS server but if you have a split-brain DNS setup like I did it's the
internal servers you need to do traces on. (BTW, ELSA is mostly a snazzy way of
looking through the Bro logs. Looking through them by hand works, too, just not
as fast.) Adding the capability of sniffing internal traffic to those servers
was a long-term goal of mine but it never happened, owing mainly to leaving the job.
Trying to correlate this alert with other sources could also be of help, like AV
logs, SIEM logs, firewall logs, and so on. But I don't have a "one query to rule
them all" solution for you.
--
Mit besten Grüßen
Shane Castle
the DNS server is the one from which requests from your network go out to the
rest of the world. I ran a setup where we had internal DNS servers that
forwarded queries to DMZ-based DNS servers, and I only sniffed the traffic
between inside and the DMZ, between inside and outside, and between DMZ and
outside. I'd see responses like this, could trace the request to the inside
forwarder, but it stopped there because I was not sniffing traffic to the
internal DNS servers.
When I was doing this I did not have ELSA. I am not that good yet at using ELSA.
I'm sure you could construct queries that would show how the request started at
your DNS server but if you have a split-brain DNS setup like I did it's the
internal servers you need to do traces on. (BTW, ELSA is mostly a snazzy way of
looking through the Bro logs. Looking through them by hand works, too, just not
as fast.) Adding the capability of sniffing internal traffic to those servers
was a long-term goal of mine but it never happened, owing mainly to leaving the job.
Trying to correlate this alert with other sources could also be of help, like AV
logs, SIEM logs, firewall logs, and so on. But I don't have a "one query to rule
them all" solution for you.
Mit besten Grüßen
Shane Castle
chris izatt
Feb 1, 2017, 6:04:40 AM2/1/17
to security-onion
Reply all
Reply to author
Forward
0 new messages