[Snort-sigs] no documentation about some rules

Joel Esler (jesler) jesler at ...3865...
Thu Aug 28 18:43:26 EDT 2014

On Aug 28, 2014, at 11:21 AM, Jamie Riden <jamie.riden at ...2420...<mailto:jamie.riden at ...2420...>> wrote:

malware-cnc means that IP address has been observed acting as a
Command and Control server for some malware in the past, which in turn
means you might want to check if any of those boxes which are trying
to talk to it are compromised.

Malware-cnc is the outbound connectivity (Command and control - CNC) from a known piece of malware.

Not so sure about blacklists - it depends on which list they were found in.

Blacklist is more of a general category of known bad.  Be that User-Agents (which may cover entire families of malware) or DNS entries.

Joel Esler
Open Source Manager
Threat Intelligence Team Lead

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140828/cbdd4139/attachment.html>

More information about the Snort-sigs mailing list