Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

:443 in domain name of hosts/win10/spy.txt #98

Closed
rgctoo opened this issue Jan 27, 2018 · 4 comments
Closed

:443 in domain name of hosts/win10/spy.txt #98

rgctoo opened this issue Jan 27, 2018 · 4 comments
Labels
🤔 needs more info

Comments

@rgctoo
Copy link

rgctoo commented Jan 27, 2018
edited
Loading 

Jan 27 18:54:20 xxx named[21230]: redir2null.zone:16: telemetry.appex.bing.net**:443**: bad owner name (check-names)
Jan 27 18:54:20 xxx named[21230]: zone telemetry.appex.bing.net:443/IN: loading from master file redir2null.zone failed: bad owner name (check-names)
Jan 27 18:54:20 xxx named[21230]: zone telemetry.appex.bing.net:443/IN: not loaded due to errors.
---------------------
btw: a small contribution
----------------------
#!/bin/bash
#######################################
## cvHosts2Bind+Snort.sh
#######################################
# small script to convert hosts-files
# to BIND-DNS zones and SNORT rules
#######################################
for sf in `find data/hosts -name spy.txt`;do
  sed -ne '/^0\.0\.0\.0/s/^0\.0\.0\.0 //p' $sf
done|sort -u >MS-SpyDomains.txt

sed -ne 's@\(.*$\)@zone "\1" {type master; file "redir2null.zone";};@p' MS-SpyDomains.txt >MS-SpyDomains.zones

let SID=1000501
for DOM in `grep -v '^#' MS-SpyDomains.txt` ;do
  echo -n 'alert udp $HOME_NET any -> any 53 (msg:"WSB: MS Spy DNS lookup for '$DOM'"; content:"'
  until [ "$DOM" == "$dom" ];do
    dom=${DOM%%.*}; DOM=${DOM#*.}
    printf "|%02x|$dom" ${#dom}
  done
  echo '|00|"; offset:12;fast_pattern; nocase; threshold: type limit, track by_src, seconds 60, count 1; classtype:policy-violation; sid:'$SID'; rev:1;)'
  let SID++
done >MS-SpyDomains.rules
----------------------------------------
---------- redir2null.zone ----------
; This zone will kill all traffic to a listed domain
;
$TTL    86400   ; one day
@       IN      SOA     ns.xxx.bogus. xxx.bogus. (
                          1
                          28800   ; refresh  8 hours
                          7200    ; retry    2 hours
                          864000  ; expire  10 days
                          86400 ) ; min ttl  1 day
                NS      ns.xxx.bogus.
                A	0.0.0.0
*       IN      A       0.0.0.0
@crazy-max
Copy link
Owner

Hi @rgctoo, can you reformat your issue, it's pretty ugly 🙃
And also give some explanations. Thanks

@Atavic
Copy link

Atavic commented Feb 1, 2018

Apparently he got error:
telemetry.appex.bing.net**:443**: bad owner name (check-names)... not loaded

He then gives a small contribution script:

#!/bin/bash
#######################################
## cvHosts2Bind+Snort.sh
#######################################
# small script to convert hosts-files
# to BIND-DNS zones and SNORT rules
#######################################
for sf in `find data/hosts -name spy.txt`;do
  sed -ne '/^0\.0\.0\.0/s/^0\.0\.0\.0 //p' $sf
done|sort -u >MS-SpyDomains.txt

sed -ne 's@\(.*$\)@zone "\1" {type master; file "redir2null.zone";};@p' MS-SpyDomains.txt >MS-SpyDomains.zones

let SID=1000501
for DOM in `grep -v '^#' MS-SpyDomains.txt` ;do
  echo -n 'alert udp $HOME_NET any -> any 53 (msg:"WSB: MS Spy DNS lookup for '$DOM'"; content:"'
  until [ "$DOM" == "$dom" ];do
    dom=${DOM%%.*}; DOM=${DOM#*.}
    printf "|%02x|$dom" ${#dom}
  done
  echo '|00|"; offset:12;fast_pattern; nocase; threshold: type limit, track by_src, seconds 60, count 1; classtype:policy-violation; sid:'$SID'; rev:1;)'
  let SID++
done >MS-SpyDomains.rules

named (Bind executable) got the aforementioned error while reading redir2null.zone

@Atavic
Copy link

Atavic commented Feb 1, 2018

telemetry.appex.bing.net443

I meant to expose the error in bold, but I failed. He gets :443 appended but he doesn't need it.

crazy-max added a commit that referenced this issue Feb 10, 2018
@crazy-max
Move 13.78.230.134 to update for Windows 10 (Issue #94)
3e202df 
Move 13.79.239.69 to extra for Windows 10 (Issue #94)
Typo in Windows 10 spy list (Issue #98)
@crazy-max
Copy link
Owner

@rgctoo This entry has been removed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🤔 needs more info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@crazy-max @rgctoo @Atavic