Problem with pass list and domain 360safe.com. Please help

simby · Sep 8, 2015, 4:56 AM

Hi!

I have many connet to 360safe.com

and Snort is blocking this

A Network Trojan was Detected | APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com

I have 2Q

I havell add all ROOT server to PassList, and restart Snort,..etc,… when computer try to connect to this IP, block all dns request from other device, for all other site. Why? I have add root dns server to white list and in snort I can see pass list ip?

I have clean windows 10, why is trying to connect to 360safe.com??

doktornotor · Sep 8, 2015, 7:48 AM

This won't work. You need to disable the rule; the root servers are just part of the traffic chain. Goes down from that (.tld DNS, then the authoritative DNS servers for that domain…) These kinds of rules are completely retarded, the guys who wrote this just don't understand how DNS works.

bmeeks · Sep 9, 2015, 12:40 AM

I agree with the @dok here. These DNS rules are a bit off the mark. Maybe they are good in theory, but when put into actual practice they don't work so well. They false positive too much.

Bill

doktornotor · Sep 9, 2015, 7:57 AM

What strikes me - people who wrote this really don't seem to have ever run a recursive resolver? Because, exactly as described, you end up with all root DNS servers blocked, plus whole slew of others => totally broken DNS. Anyone can kill DNS for everyone on the network merely by resolving a bunch of blacklisted domains. If you wanted to prevent damage, you'd block the actual traffic to hosts in that domain. Not block completely innocent DNS servers.