topic Thanks for the response. in Network Security

BLACKLIST DNS request for known malware domain counter.yadro.ru

ramachandran.gunasekaran — Sun, 18 Jun 2017 20:56:47 GMT

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain counter.yadro.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|counter|05|yadro|02|ru|00|"; fast_pattern:only; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/en/domain/counter.yadro.ru/information/; classtype:trojan-activity; sid:29119; rev:1; )

Hi Team,

For the above rule, we observed numerous connection due to the redirection. we have blocked the domain in proxy. but we also thinking to block the same in IPS since the reputation of the domain is high malicious.

reference:

https://virustotal.com/en/domain/yadro.ru/information/

https://www.hybrid-analysis.com/sample/aeb26c5c1caae1ddd9ea63266080e27d29ced1a48090c5be3e77aef3e2534b47?environmentId=1

https://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/what-is-counter-yadro/3b7a3384-6eba-4225-ac6f-54f58e837bdd

http://www.precisesecurity.com/hijacker/get-rid-counter-yadro-ru

Kindly suggest/help to create DNS lookup block IPS rule for the above domain.

Thanks

Ramachandran

If it's not already being

Marvin Rhoads — Mon, 19 Jun 2017 11:54:46 GMT

If it's not already being blocked by the Global Blacklist feed then you can create and add a custom DNS blacklist locally (under object management).

Make sure it is specified in your DNS policy and that DNS policy is called out in the Access Control Policy. Finally, deploy the policy.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/DNS_Policies.html#concept_FFB4BE7AF2914BAD9CFF278BCCBC523C

Thanks for the response.

ramachandran.gunasekaran — Mon, 19 Jun 2017 20:58:57 GMT

Thanks for the response.

There were successful connections before blocking this domain in proxy but we still see proxy and ips log towards the "counter.yadro.ru".

If possible, can you share us much more info regarding the same. Need to troubleshoot the system from which we use logs for this domain.

The suspected part is eventhough there is no redirection observed proxy ips logs towards this domain.

Thanks

Ramahandran

I'm not sure how your entire

Marvin Rhoads — Tue, 20 Jun 2017 04:14:56 GMT

I'm not sure how your entire flow works between DNS server, web proxy and IPS. As long as the endpoints have the malware on them they will make attempts to lookup the domain.

Part of the IPS or web proxy blocking them (if that is indeed what is happening) would be to log the aciton of having blocked it. That is normal and expected.

Can you able to help with us

ramachandran.gunasekaran — Thu, 22 Jun 2017 20:34:48 GMT

Can you able to help with us by providing custom signatures for our environment.

No. This is the free Cisco

Marvin Rhoads — Fri, 23 Jun 2017 12:33:04 GMT

No. This is the free Cisco Support Community. That would be outside the scope of what this community is for.

Thank you so much for the

ramachandran.gunasekaran — Wed, 28 Jun 2017 00:19:31 GMT

Thank you so much for the support