cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
669
Views
0
Helpful
8
Replies

5894:1 Storm Worm

m-hansson
Level 1
Level 1

The signature generates false positives on DNS traffic.

An example is a DNS query with an Transaction ID: 0xE30F

At networks with a lot of DNS traffic the signature will produces 30+ alarms per day.

8 Replies 8

mhellman
Level 7
Level 7

This signature is designed to detect the botnet behavior of an infected machine. Some possible options are to exclude your DNS servers as a source or destination, or you could modify the ports to ignore 53 (1-51,54-65535).

Is it just me or lately the quality the signatures out of the box is less than satisfactory?

How about modifying the signature so it wont look at the transaction ID for DNS traffic? - A lot better than having everyone with a Cisco IDS/IPS sensor to add filters or change the ports.

Yes I agree, signature quality is sometimes really poor. This is a good example.

Most people just don't want to be bothered with tweaking. If it's too noisy, it gets disabled.

You might consider having generic filters for your DNS servers anyway. It is not uncommon for traffic to/from them to trigger a variety of signatures. Trying to create a regex that matches one thing but not another is sometimes very difficult. In our own environment, the botnet behavior would likely be very noticeable for other reasons, so the signature may not be the useful anyway.

Ehh? So just because there already are a lot of bad quality signatures we should accept more?

I guess the current engines can't handle this type of advanced signatures and that's too bad. Several competitors are making way more advanced signatures.

No, you shouldn't, especially if you believe there is greener pasture available;-) You could open a ticket with Cisco to fix if you think it's possible to create a "tighter" signature. Until then, I would suggest filtering.

I actually posted this before I saw this.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe5171

I'm seeing this fire falsely for an entirely different reason, for nginx servers.

Has anyone successfully tightened up this signature? If so, can you let me know how?

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: