neonprimetime security , just trying to help: dns

Monday, December 26, 2016

1:41083 BLACKLIST suspicious .bit dns query

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this dns query blacklist alert didn't include documentation.

(1:41083) BLACKLIST suspicious .bit dns query

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST suspicious .bit dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bit|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; sid:41083; rev:1; )

If I had to guess I think it's related to the .bit tld or something similar which stated.

Per the reddit The advantage to owning a .bit domain is that no government or third-party can have your DNS interrupted, it is truly a P2P DNS system with no possibility of censorship.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Wednesday, August 31, 2016

ipconfig /displaydns

Thought it'd be useful to share how to use the built-in windows ipconfig /displaydns command for forensics or security research. This gives you a list of all dns entries cached locally by your workstation so you can see where you, or your malware you're researching has been trying to call out for.

And of course by combining commands you can quickly narrow down the results such as with findstr

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0