[Snort-sigs] Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset)

Mathewson, Nathan Mathewson at ...3842...
Fri Oct 4 20:21:52 EDT 2013


We have most of the Malware-CNC rules enabled and we installed the VRT rule update from 9-24-2013.  We are now seeing alerts form this sig 1:27962.  We see user machines sending from one to three TCP SYN packets out and receiving back RST/ACK packets with a reset cause 'Go away, we're not home', exactly as the rule requires.

This appears to be a "new" snort vrt rule in this rule set yet it only references sources from 2008.

We have not been able to find explanations for why one receives these unique RST/ACK packets.

Can anyone assist us with information regarding this sig, why this rule was seemingly just added, it's current status, and what might be the cause[s] for these resets with this unique "reset cause".

Attached file is a sample SYN - RST/ACK, in pcap format.

Appreciate your assistance.

Nathan

Disclaimer:
The materials in this e-mail are private and may contain Protected Health Information. Please note that e-mail is not necessarily confidential or secure. Your use of e-mail constitutes your acknowledgment of these confidentiality and security limitations. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender via telephone or return e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131005/c2094e8e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: example-1-syn-reset-pair.pcap
Type: application/octet-stream
Size: 199 bytes
Desc: example-1-syn-reset-pair.pcap
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131005/c2094e8e/attachment.obj>


More information about the Snort-sigs mailing list