2019-10-25 04:30:55 +02:00
|
|
|
action: global
|
2020-02-20 23:00:16 +01:00
|
|
|
title: High DNS Requests Rate
|
2019-12-19 23:56:36 +01:00
|
|
|
id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
|
2019-10-25 04:30:55 +02:00
|
|
|
status: experimental
|
2020-09-15 07:02:30 -06:00
|
|
|
description: High DNS requests amount from host per short period of time
|
2019-10-25 04:30:55 +02:00
|
|
|
author: Daniil Yugoslavskiy, oscd.community
|
|
|
|
|
date: 2019/10/24
|
2020-08-27 20:43:47 +03:00
|
|
|
modified: 2020/08/27
|
2020-09-15 07:02:30 -06:00
|
|
|
falsepositives:
|
|
|
|
|
- Legitimate high DNS requests rate to domain name which should be added to whitelist
|
|
|
|
|
level: medium
|
2019-10-25 04:30:55 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.exfiltration
|
2020-08-27 20:43:47 +03:00
|
|
|
- attack.t1048 # an old one
|
|
|
|
|
- attack.t1048.003
|
|
|
|
|
- attack.command_and_control
|
|
|
|
|
- attack.t1071 # an old one
|
|
|
|
|
- attack.t1071.004
|
2019-10-25 04:30:55 +02:00
|
|
|
---
|
|
|
|
|
logsource:
|
|
|
|
|
category: dns
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
query: '*'
|
|
|
|
|
timeframe: 1m
|
|
|
|
|
condition: selection | count() by src_ip > 1000
|
|
|
|
|
---
|
|
|
|
|
logsource:
|
|
|
|
|
category: firewall
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
dst_port: 53
|
|
|
|
|
timeframe: 1m
|
|
|
|
|
condition: selection | count() by src_ip > 1000
|
