topic Re: Need solution in Network Security

Need solution

sureshkum — Sun, 10 Mar 2019 10:55:21 GMT

Hi,

Kindly provde me solution how can i implement the bellow.We are using IDS-4235 v 4.1..

Update: In addition to the domains mentioned above, more malicious domains

are being reported. The comple list of malicious domains is as follows:

uhave post card DOT com

merrychristmasdude DOT com

americangreetings DOT b719 DOT cn

americangreetings DOT 846123 DOT cn

lbss DOT 3322 DOT org

happycards2008 DOT com

newyear2008 DOT com

newyearcards2008 DOT com

newyearwithlove DOT com

Note: Users are advised to visit this page regularly to get the updated

list of malicious domains.

Users are advised to implement following countermeasures:

It has been observed that the malicious domains such as mentioned above are

hosted by the Storm Botnet mostly using nginx/0.5.17 web server . Consider

blocking packets from the nginx/0.5.17 web server through Proxy or set an

appropriate alert/rule at IDS/IPS

Re: Need solution

wsulym — Mon, 31 Dec 2007 15:20:49 GMT

you can use the string.tcp engine, with the following regex:

[\r\n]Server[:]\x20nginx\x2f0[.]5[.]17

*from* #WEBPORTS

to detect the nginx webserver.

You can also use string.udp (setting *to* port 53) to trigger alerts on dns requests for the domains mentioned. For the dns regex, you need to be aware that the query will take the form of:

length-byte -- characters -- length-byte -- characters

So something like my.domain.com 2 characters, 6 characters, then 3 characters. Gets strung together as such:

\x02[Mm][Yy]\x06[Dd][Oo][Mm][Aa][Ii][Nn]\x03[Cc][Oo][Mm]

That is the regex to catch my.domain.com regardless of case in a dns query (UDP).

(note that the dots in the name, do not appear in the regex string)

Re: Need solution

sureshkum — Tue, 01 Jan 2008 11:51:21 GMT

Thank q for ur response.