09-27-2007 06:03 AM - edited 03-10-2019 03:48 AM
The signature generates false positives on DNS traffic.
An example is a DNS query with an Transaction ID: 0xE30F
At networks with a lot of DNS traffic the signature will produces 30+ alarms per day.
09-27-2007 06:38 AM
This signature is designed to detect the botnet behavior of an infected machine. Some possible options are to exclude your DNS servers as a source or destination, or you could modify the ports to ignore 53 (1-51,54-65535).
10-03-2007 08:31 AM
Is it just me or lately the quality the signatures out of the box is less than satisfactory?
10-04-2007 02:54 AM
How about modifying the signature so it wont look at the transaction ID for DNS traffic? - A lot better than having everyone with a Cisco IDS/IPS sensor to add filters or change the ports.
Yes I agree, signature quality is sometimes really poor. This is a good example.
10-04-2007 05:29 AM
Most people just don't want to be bothered with tweaking. If it's too noisy, it gets disabled.
10-04-2007 06:21 AM
You might consider having generic filters for your DNS servers anyway. It is not uncommon for traffic to/from them to trigger a variety of signatures. Trying to create a regex that matches one thing but not another is sometimes very difficult. In our own environment, the botnet behavior would likely be very noticeable for other reasons, so the signature may not be the useful anyway.
10-25-2007 06:50 AM
Ehh? So just because there already are a lot of bad quality signatures we should accept more?
I guess the current engines can't handle this type of advanced signatures and that's too bad. Several competitors are making way more advanced signatures.
10-29-2007 06:37 AM
No, you shouldn't, especially if you believe there is greener pasture available;-) You could open a ticket with Cisco to fix if you think it's possible to create a "tighter" signature. Until then, I would suggest filtering.
10-29-2007 12:37 PM
I actually posted this before I saw this.
I'm seeing this fire falsely for an entirely different reason, for nginx servers.
Has anyone successfully tightened up this signature? If so, can you let me know how?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide