[Snort-sigs] malware-cnc.rules

Alex McDonnell amcdonnell at ...435...
Mon Feb 11 11:11:36 EST 2013


Hi Carmen,

  do you have:

1. pcaps
2. a rule to examine

those are the first two things to look at to see if anything is amiss.

thanks,
Alex McDonnell

On Mon, Feb 11, 2013 at 10:42 AM, Gaißer, Carmen <
carmen.gaisser at ...3768...> wrote:

> Hi,****
>
> ** **
>
> for the purpose of botnet detection, I generated some sample traffic by
> using signatures from the snort malware-cnc.rules set.****
>
> ** **
>
> Currently, I am facing the problem that snort is not able to detect these
> signatures. The problem occurs with IPv4 and IPv6 traffic. ****
>
> ** **
>
> Some details:****
>
> I generated http requests by using snort signatures from the
> malware-cnc.rule set as part of  the request uri. Therefore, I used only
> signatures which apply to http traffic and only those that use one content
> keyword with the http_uri identifier.****
>
> ** **
>
> I already tested my snort configuration which should be ok.  I have set
> the HOME_NET and EXTERNAL_NET explicitly to the addresses of the client and
> server. The malware-cnc.rule is loaded correctly. I confirmed this by
> adding a custom rule which alerts any tcp connection. This works correctly.
> But no alerts on the content of the http requests. Regarding the IPv6
> sample traffic, only http responses are analyzed which is odd.****
>
> ** **
>
> Does anyone have an idea why snort is not able to detect the signatures in
> the sample traffic?****
>
> Or why only IPv6 http responses are analyzed?****
>
> ** **
>
> ** **
>
> ** **
>
>    ****
>
> ** **
>
> ** **
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130211/ebaeb16c/attachment.html>


More information about the Snort-sigs mailing list