[Snort-sigs] R: no documentation about some rules
Maurizio Di Pietro (Esterna)
m.dipietro at ...3944...
Fri Aug 29 05:21:12 EDT 2014
I speak about this documentation <https://www.snort.org/rule_docs>
And community documentation, the tar opensoource.tar.gz. A set of txt file,
one for event.
I looking for on virustotal also, for example the event 23493
(Win.trojan.zeroAccess) but Id like understand why the rule searches the 4
bytes (28,94,8d,ab) from fifth to eighth byte
I didnt understand the rule. Does the malware contact the C&C by UDP on
port 16464 and send these bytes? Why? What does it work? This is very
important to understand if is a false positive
Da: Joel Esler (jesler) [mailto:jesler at ...3865...]
Inviato: giovedì 28 agosto 2014 17:14
A: Maurizio Di Pietro (Esterna)
Cc: snort-sigs at lists.sourceforge.net
Oggetto: Re: [Snort-sigs] no documentation about some rules
On Aug 28, 2014, at 10:40 AM, Maurizio Di Pietro (Esterna)
<m.dipietro at ...3944...> wrote:
I have one instance of snort that raises some event. I didnt find the
documentation about their online and in opensource.tar.gz.
All event belong two categories, malware-cnc.rules and blacklist.rues
27247, 28539, 28805, 29262, 24034, 30833, 23493, 30825, 30842, 30840, 30836,
30827, 30835, 31136, 30260, etc
Why there arent a documentation about their?
How can I find information about this event?
Im registered user and use rules 2962.
Documentation exists in two forms. Either as a separate doc (which is what
you are talking about), or the links within the rules themselves. For
example, every malware-cnc rule is linked to the sample on Virustotal that
generated the traffic that the rule was written off of.
Open Source Manager
Threat Intelligence Team Lead
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs