[Snort-sigs] no documentation about some rules

Jamie Riden jamie.riden at ...2420...
Fri Aug 29 03:14:54 EDT 2014

Yes, sorry, I could have been clearer.

There are two possibilities I guess: Maurizio's hosts are
communicating for legitimate reasons with a server that has been
compromised to add a CNC channel to it - or that they are actually
running some piece of malware which is phoning home.

It would help to see some packet dumps if there are any? Or to know if
there any other alerts firing for the IP addresses in question.


On 28 August 2014 23:43, Joel Esler (jesler) <jesler at ...3865...> wrote:
> On Aug 28, 2014, at 11:21 AM, Jamie Riden <jamie.riden at ...2420...> wrote:
> malware-cnc means that IP address has been observed acting as a
> Command and Control server for some malware in the past, which in turn
> means you might want to check if any of those boxes which are trying
> to talk to it are compromised.
> Malware-cnc is the outbound connectivity (Command and control - CNC) from a
> known piece of malware.
> Not so sure about blacklists - it depends on which list they were found in.
> Blacklist is more of a general category of known bad.  Be that User-Agents
> (which may cover entire families of malware) or DNS entries.
> --
> Joel Esler
> Open Source Manager
> Threat Intelligence Team Lead
> Talos

Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...

More information about the Snort-sigs mailing list