[Snort-sigs] malware-cnc.rules

Gaißer, Carmen carmen.gaisser at ...3768...
Mon Feb 11 10:42:25 EST 2013



for the purpose of botnet detection, I generated some sample traffic by
using signatures from the snort malware-cnc.rules set.


Currently, I am facing the problem that snort is not able to detect these
signatures. The problem occurs with IPv4 and IPv6 traffic. 


Some details:

I generated http requests by using snort signatures from the
malware-cnc.rule set as part of  the request uri. Therefore, I used only
signatures which apply to http traffic and only those that use one content
keyword with the http_uri identifier.


I already tested my snort configuration which should be ok.  I have set the
HOME_NET and EXTERNAL_NET explicitly to the addresses of the client and
server. The malware-cnc.rule is loaded correctly. I confirmed this by adding
a custom rule which alerts any tcp connection. This works correctly. But no
alerts on the content of the http requests. Regarding the IPv6 sample
traffic, only http responses are analyzed which is odd.


Does anyone have an idea why snort is not able to detect the signatures in
the sample traffic?

Or why only IPv6 http responses are analyzed?







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130211/05ba3fb2/attachment.html>

More information about the Snort-sigs mailing list