Snort mailing list archives
Re: Snort SID Help 1:28039:5
From: Vincent Zhen <vincent.zhen () nyu edu>
Date: Fri, 11 Mar 2016 10:26:23 -0500
snort.rules: alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .pw dns query"; flow:to_server; content:!"|01|u|02|pw"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pw|00|"; distance:0; fast_pattern; metadata:policy balanced-ips alert, policy security-ips drop, service dns; classtype:trojan-activity; sid:28039; rev:5;) On Fri, Mar 11, 2016 at 10:04 AM, Matt Brichetto < M_Brichetto () cuinterface com> wrote:
Hello Fellow Snort Users, I get the following alert below on a LAN to LAN address. Everyone once and awhile we get this, but there seems to be no info on the rule. Has this rule been deprecated or something along those lines. I really don’t know how to troubleshoot this or if it is a false positive. EVENT # : 172511 EVENTLOG : Application *EVENT TYPE :* *WARNING (2)* SOURCE : snort EVENT ID : 1 TIME : 3/11/2016 9:25:55 AM MESSAGE : [1:28039:5] INDICATOR-COMPROMISE Suspicious .pw dns query [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 192.168.22.16:17159 -> 192.168.22.4:53 Thanks, *Matt Brichetto* Network Administrator ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Vincent Zhen Network Security Analyst, NYU Technology Security Services New York University 726 Broadway, New York, NY 10003
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort SID Help 1:28039:5 Matt Brichetto (Mar 11)
- Re: Snort SID Help 1:28039:5 Joel Esler (jesler) (Mar 11)
- Re: Snort SID Help 1:28039:5 Vincent Zhen (Mar 11)
- Re: Snort SID Help 1:28039:5 Vincent Zhen (Mar 11)
- Re: Snort SID Help 1:28039:5 Vincent Zhen (Mar 11)
- Re: Snort SID Help 1:28039:5 Vincent Zhen (Mar 11)
- Re: Snort SID Help 1:28039:5 Joel Esler (jesler) (Mar 11)