Snort mailing list archives
Re: no documentation about some rules
From: Jamie Riden <jamie.riden () gmail com>
Date: Fri, 29 Aug 2014 08:14:54 +0100
Yes, sorry, I could have been clearer. There are two possibilities I guess: Maurizio's hosts are communicating for legitimate reasons with a server that has been compromised to add a CNC channel to it - or that they are actually running some piece of malware which is phoning home. It would help to see some packet dumps if there are any? Or to know if there any other alerts firing for the IP addresses in question. thanks, Jamie On 28 August 2014 23:43, Joel Esler (jesler) <jesler () cisco com> wrote:
On Aug 28, 2014, at 11:21 AM, Jamie Riden <jamie.riden () gmail com> wrote: malware-cnc means that IP address has been observed acting as a Command and Control server for some malware in the past, which in turn means you might want to check if any of those boxes which are trying to talk to it are compromised. Malware-cnc is the outbound connectivity (Command and control - CNC) from a known piece of malware. Not so sure about blacklists - it depends on which list they were found in. Blacklist is more of a general category of known bad. Be that User-Agents (which may cover entire families of malware) or DNS entries. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos
-- Jamie Riden / jamie () honeynet org / jamie.riden () gmail com http://uk.linkedin.com/in/jamieriden ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- no documentation about some rules Maurizio Di Pietro (Esterna) (Aug 28)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)
- R: no documentation about some rules Maurizio Di Pietro (Esterna) (Aug 29)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 29)
- R: no documentation about some rules Maurizio Di Pietro (Esterna) (Aug 29)
- Re: no documentation about some rules Jamie Riden (Aug 28)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)
- Re: no documentation about some rules Jamie Riden (Aug 29)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)