Re: Need solution

sureshkum · ‎12-31-2007

Hi,

Kindly provde me solution how can i implement the bellow.We are using IDS-4235 v 4.1..

Update: In addition to the domains mentioned above, more malicious domains

are being reported. The comple list of malicious domains is as follows:

uhave post card DOT com

merrychristmasdude DOT com

americangreetings DOT b719 DOT cn

americangreetings DOT 846123 DOT cn

lbss DOT 3322 DOT org

happycards2008 DOT com

newyear2008 DOT com

newyearcards2008 DOT com

newyearwithlove DOT com

Note: Users are advised to visit this page regularly to get the updated

list of malicious domains.

Users are advised to implement following countermeasures:

It has been observed that the malicious domains such as mentioned above are

hosted by the Storm Botnet mostly using nginx/0.5.17 web server . Consider

blocking packets from the nginx/0.5.17 web server through Proxy or set an

appropriate alert/rule at IDS/IPS

wsulym · ‎12-31-2007

you can use the string.tcp engine, with the following regex:

[\r\n]Server[:]\x20nginx\x2f0[.]5[.]17

*from* #WEBPORTS

to detect the nginx webserver.

You can also use string.udp (setting *to* port 53) to trigger alerts on dns requests for the domains mentioned. For the dns regex, you need to be aware that the query will take the form of:

length-byte -- characters -- length-byte -- characters

So something like my.domain.com 2 characters, 6 characters, then 3 characters. Gets strung together as such:

\x02[Mm][Yy]\x06[Dd][Oo][Mm][Aa][Ii][Nn]\x03[Cc][Oo][Mm]

That is the regex to catch my.domain.com regardless of case in a dns query (UDP).

(note that the dots in the name, do not appear in the regex string)

sureshkum · ‎01-01-2008

Thank q for ur response.