security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update zeek_dns_mining_pools.yml

Browse Source
This commit is contained in:
Nate Guagenti
2021-08-23 14:11:04 -04:00
committed by GitHub
parent b00e1772b3
commit feb7d0e187
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/network/zeek/zeek_dns_mining_pools.yml
+2 -2
View File
@@ -93,8 +93,8 @@ detection:
exclude_rejected:
rejected: "true"
condition: selection and not (exclude_answers OR exclude_rejected)
falsepositives: |
A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name".
falsepositives:
- A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name".
fields:
- id.orig_h
- id.resp_h