From 4b43db2aac5da317f9db3cba55b598f324d4b74c Mon Sep 17 00:00:00 2001
From: patrick <patrick@gitlab.patrick-bareiss.com>
Date: Sat, 13 Apr 2019 20:27:36 +0200
Subject: [PATCH 1/4] Add new Sigma Rule for C2 DNS Tunneling

---
 rules/network/net_dns_c2_detection.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 rules/network/net_dns_c2_detection.yml

diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml
new file mode 100644
index 000000000..9053dae25
--- /dev/null
+++ b/rules/network/net_dns_c2_detection.yml
@@ -0,0 +1,19 @@
+title: DNS C2 Detection
+status: experimental
+description: Normally, there exists a limited amount of different dns queries for a single domain. If a huge number of dns queries were performed for a single domain, this can be an indicator that DNS is used for transferring data. 
+references:
+    - https://zeltser.com/c2-dns-tunneling/
+author: Patrick Bareiss
+date: 2019/04/07
+logsource:
+    product: dns
+detection:
+    selection:
+        parent_domain: '*'
+    condition: selection | count(dns_query) by parent_domain > 1000
+falsepositives:
+    - Valid software, which uses dns for transferring data
+level: high
+tags:
+    - attack.c2
+    - attack.t1043

From 51d19b36cc89efc0bfeab2d683ae851689c7da67 Mon Sep 17 00:00:00 2001
From: patrick <patrick@gitlab.patrick-bareiss.com>
Date: Sat, 13 Apr 2019 20:28:55 +0200
Subject: [PATCH 2/4] Add new Sigma Rule for C2 DNS Tunneling

---
 rules/network/net_dns_c2_detection.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml
index 9053dae25..057b30da4 100644
--- a/rules/network/net_dns_c2_detection.yml
+++ b/rules/network/net_dns_c2_detection.yml
@@ -3,6 +3,7 @@ status: experimental
 description: Normally, there exists a limited amount of different dns queries for a single domain. If a huge number of dns queries were performed for a single domain, this can be an indicator that DNS is used for transferring data. 
 references:
     - https://zeltser.com/c2-dns-tunneling/
+    - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
 author: Patrick Bareiss
 date: 2019/04/07
 logsource:

From 07133604438bb8856496ca49b69f6cc1a4e6dd46 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 21 Apr 2019 08:52:07 +0200
Subject: [PATCH 3/4] Fixed MITRE ATT&CK tags

---
 rules/network/net_dns_c2_detection.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml
index 057b30da4..bed84c6db 100644
--- a/rules/network/net_dns_c2_detection.yml
+++ b/rules/network/net_dns_c2_detection.yml
@@ -16,5 +16,4 @@ falsepositives:
     - Valid software, which uses dns for transferring data
 level: high
 tags:
-    - attack.c2
     - attack.t1043

From a85acdfd029833cc750edaa3fa6258042e2392e3 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 21 Apr 2019 08:54:56 +0200
Subject: [PATCH 4/4] Changed title and description

---
 rules/network/net_dns_c2_detection.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml
index bed84c6db..90a889dc2 100644
--- a/rules/network/net_dns_c2_detection.yml
+++ b/rules/network/net_dns_c2_detection.yml
@@ -1,6 +1,6 @@
-title: DNS C2 Detection
+title: Possible DNS Tunneling
 status: experimental
-description: Normally, there exists a limited amount of different dns queries for a single domain. If a huge number of dns queries were performed for a single domain, this can be an indicator that DNS is used for transferring data. 
+description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data. 
 references:
     - https://zeltser.com/c2-dns-tunneling/
     - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/