Layer7: DNS Pattern to catch only .CC domains

sirkike · Fri Dec 14, 2012 1:50 pm

I modified the DNS pattern, to this:

^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06](cc)[\x01-\x10][\x01\x03\x04\xFF]

And the domain's .CC are been detected, but need to know if this is written good, or will catch another domain not only .cc

PD: Sorry bad english!

coffeecoco · Fri Dec 14, 2012 3:21 pm

why would u want to catch .cc domains? i have one

sirkike · Fri Dec 14, 2012 3:43 pm

Because, along with other rules of number of connections, I can identify if a user has a computer infected with a virus. When the machine has a virus, this generates a lot of connections and DNS resolution requests like this:

dbpiqlx.cc
pdlcgjpf.com
plhbhbwh.net
xaplvuyw.cc
iidllkvybl.cc
olytatcn.com
izyjofff.com
jovxpxkesy.cc

Fri Dec 14, 2012 3:44 pm

there are also a lot of .com domains there. you probably won't block those

sirkike · Fri Dec 14, 2012 3:48 pm

i don´t block .com or .cc or .net, only identify the request, then redirect all traffic of that user to a website, where a inform is infected with virus.

Layer7: DNS Pattern to catch only .CC domains

Layer7: DNS Pattern to catch only .CC domains

Re: Layer7: DNS Pattern to catch only .CC domains

Re: Layer7: DNS Pattern to catch only .CC domains

Re: Layer7: DNS Pattern to catch only .CC domains

Re: Layer7: DNS Pattern to catch only .CC domains

Who is online