Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

5894:1 Storm Worm

The signature generates false positives on DNS traffic.

An example is a DNS query with an Transaction ID: 0xE30F

At networks with a lot of DNS traffic the signature will produces 30+ alarms per day.

8 REPLIES
Gold

Re: 5894:1 Storm Worm

This signature is designed to detect the botnet behavior of an infected machine. Some possible options are to exclude your DNS servers as a source or destination, or you could modify the ports to ignore 53 (1-51,54-65535).

Community Member

Re: 5894:1 Storm Worm

Is it just me or lately the quality the signatures out of the box is less than satisfactory?

Community Member

Re: 5894:1 Storm Worm

How about modifying the signature so it wont look at the transaction ID for DNS traffic? - A lot better than having everyone with a Cisco IDS/IPS sensor to add filters or change the ports.

Yes I agree, signature quality is sometimes really poor. This is a good example.

Community Member

Re: 5894:1 Storm Worm

Most people just don't want to be bothered with tweaking. If it's too noisy, it gets disabled.

Gold

Re: 5894:1 Storm Worm

You might consider having generic filters for your DNS servers anyway. It is not uncommon for traffic to/from them to trigger a variety of signatures. Trying to create a regex that matches one thing but not another is sometimes very difficult. In our own environment, the botnet behavior would likely be very noticeable for other reasons, so the signature may not be the useful anyway.

Community Member

Re: 5894:1 Storm Worm

Ehh? So just because there already are a lot of bad quality signatures we should accept more?

I guess the current engines can't handle this type of advanced signatures and that's too bad. Several competitors are making way more advanced signatures.

Gold

Re: 5894:1 Storm Worm

No, you shouldn't, especially if you believe there is greener pasture available;-) You could open a ticket with Cisco to fix if you think it's possible to create a "tighter" signature. Until then, I would suggest filtering.

Community Member

Re: 5894:1 Storm Worm

I actually posted this before I saw this.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe5171

I'm seeing this fire falsely for an entirely different reason, for nginx servers.

Has anyone successfully tightened up this signature? If so, can you let me know how?

Thanks.

169
Views
0
Helpful
8
Replies
CreatePlease to create content