Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Need solution

Hi,

Kindly provde me solution how can i implement the bellow.We are using IDS-4235 v 4.1..

Update: In addition to the domains mentioned above, more malicious domains

are being reported. The comple list of malicious domains is as follows:

uhave post card DOT com

merrychristmasdude DOT com

americangreetings DOT b719 DOT cn

americangreetings DOT 846123 DOT cn

lbss DOT 3322 DOT org

happycards2008 DOT com

newyear2008 DOT com

newyearcards2008 DOT com

newyearwithlove DOT com

Note: Users are advised to visit this page regularly to get the updated

list of malicious domains.

Users are advised to implement following countermeasures:

It has been observed that the malicious domains such as mentioned above are

hosted by the Storm Botnet mostly using nginx/0.5.17 web server . Consider

blocking packets from the nginx/0.5.17 web server through Proxy or set an

appropriate alert/rule at IDS/IPS

2 REPLIES
Cisco Employee

Re: Need solution

you can use the string.tcp engine, with the following regex:

[\r\n]Server[:]\x20nginx\x2f0[.]5[.]17

*from* #WEBPORTS

to detect the nginx webserver.

You can also use string.udp (setting *to* port 53) to trigger alerts on dns requests for the domains mentioned. For the dns regex, you need to be aware that the query will take the form of:

length-byte -- characters -- length-byte -- characters

So something like my.domain.com 2 characters, 6 characters, then 3 characters. Gets strung together as such:

\x02[Mm][Yy]\x06[Dd][Oo][Mm][Aa][Ii][Nn]\x03[Cc][Oo][Mm]

That is the regex to catch my.domain.com regardless of case in a dns query (UDP).

(note that the dots in the name, do not appear in the regex string)

New Member

Re: Need solution

Thank q for ur response.

137
Views
0
Helpful
2
Replies
CreatePlease to create content