[Snort-sigs] Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset)

James Lay jlay at ...3266...
Fri Oct 4 21:14:47 EDT 2013

On Oct 4, 2013, at 6:21 PM, "Mathewson, Nathan" <Mathewson at ...3842...> wrote:

> We have most of the Malware-CNC rules enabled and we installed the VRT rule update from 9-24-2013.  We are now seeing alerts form this sig 1:27962.  We see user machines sending from one to three TCP SYN packets out and receiving back RST/ACK packets with a reset cause ‘Go away, we’re not home’, exactly as the rule requires.  
> This appears to be a “new” snort vrt rule in this rule set yet it only references sources from 2008.
> We have not been able to find explanations for why one receives these unique RST/ACK packets. 
> Can anyone assist us with information regarding this sig, why this rule was seemingly just added, it’s current status, and what might be the cause[s] for these resets with this unique “reset cause”.
> Attached file is a sample SYN – RST/ACK, in pcap format.
> Appreciate your assistance.
> Nathan

Take your pick on one of these:


Interesting reading.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131004/ee2e9d65/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131004/ee2e9d65/attachment.sig>

More information about the Snort-sigs mailing list