[Snort-sigs] Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset)

nicenate at ...3844... nicenate at ...3844...
Mon Oct 7 09:19:07 EDT 2013

 Reply by Nathan to both Jeff and Joel:

Joel, thanks so much for sharing VRT information, as "you all" are the best source for these things.  Much appreciated, both the work on the rule sets, taking the time to share publicly information, and most specially in this time of transition for this once Sourcefire group continuing your public presence.  THANKS!!  

Be a user of snort and VRT for over a decade and visited a few of the Sourcefire presentations at the SANS.  Was glad you all did not go to Israel; but for now ... not so sure....  

Certainly hope that the work with Cisco proves valuable, useful and also specially that the work with snort and the excellent VRT rule sets is able to continue to "everyone's" mutual ... success!!!

About this issue:  This rule alert firing and we can not figure out the what, why, etc.

Joel:  If I understand your comment correctly this rule is considered "still current" and also that your group believes this is at least often if not always the result of 'malware communications' because of current sandbox activity, correct?  

I can attest, that we are seeing this rule firing on a few new machines, ... often.   

Reason we thought this was a "new rule" or at least just re-inserted into the 9/24 rule set:  We have not noticed this rule firing over the last several months, and rule set comments stated this was a "new rule".  We are running the Onion on a few parts of our LAN.  Because we do not keep a record of the old rule sets going back more that two version, and since we see this rule firing now, and we had not see these alerts before we felt this was perhaps a re-worked "old rule" just re-inserted into the rule set..

We have not seen on the I any new information about what is causing the RST ACKs with this unusual and unique "reset cause" phrase.  No attempt to hide here....

Can you share what this communication may be the result of?

Is it still thought of as part of the 'old' Storm P2P communications which "is still active"?

Part of a newer P2P bot net?

Or is this part of newer bot/trojan codes?

I am part of a small enterprise security team and you most certainly can email me directly if privacy issues might be served.  So far AV type scans from multiple products are not revealing much for the machines which have had this activity.

Most sincerely  appreciate everyone's assistance.


On 10/07/13, Joel Esler wrote:

Actually, no. This rule came out of our sandbox running binaries. 

Sent from my iPhone

> On Oct 6, 2013, at 11:41 PM, Jeff Kell <jeff-kell at ...922...> wrote:
>> On 10/6/2013 11:37 PM, Joel Esler wrote:
>> On Oct 4, 2013, at 11:37 PM, nicenate at ...3844... wrote:
>> In the case of this rule we just have not seen any current discussion for this rule. We are asking here if anyone knows more about why this rule has been placed back into the VRT snort rule set.
>> Thank you for asking. This wasn't "placed back" into the ruleset, it seems as if we didn't cover this particular piece of the traffic to begin with, so while the references are from 2008, it's still a relevant rule.
> Got to cover those test suites :) Useless otherwise, but makes the test
> suite results look better :)
> Jeff

More information about the Snort-sigs mailing list