[Snort-sigs] Yumato

waldo kitty wkitty42 at ...3507...
Tue Aug 5 14:03:46 EDT 2014

On 8/5/2014 10:51 AM, usuarionuevo nuevo nuevo wrote:
> Hi, I'm new on this list,
> Anyone knows something about this snort signature:  ET TROJAN Dropper-497
> (Yumato) Initial Checkin
> What does this alert means?

you should ask that of the Emerging Threats folks since that's one of their 
signatures ;)

BUT let's go ahead and look... since that shows "Initial Checkin" it would 
appear to be SID 2007917 which is outbound from your network to some external 
machine on a port 1024 or greater... you can look at the rule to see the content 
matched which caused the rule to fire...

have you also seen 2007918, 2007919 or 2007920 fire?

you can find information on the rules here...


  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-sigs mailing list