[Snort-sigs] R: no documentation about some rules

Maurizio Di Pietro (Esterna) m.dipietro at ...3944...
Fri Aug 29 05:21:12 EDT 2014

I speak about this documentation  <https://www.snort.org/rule_docs>

And community documentation, the tar opensoource.tar.gz. A set of txt file,
one for event.


I looking for on virustotal also,  for example the event 23493
(Win.trojan.zeroAccess) but I’d like understand why the rule searches the 4
bytes (28,94,8d,ab) from fifth to eighth byte

I didn’t understand the rule. Does the malware contact the C&C by UDP on
port 16464 and send these bytes? Why? What does it work? This is very
important to understand if is a false positive






Da: Joel Esler (jesler) [mailto:jesler at ...3865...] 
Inviato: giovedì 28 agosto 2014 17:14
A: Maurizio Di Pietro (Esterna)
Cc: snort-sigs at lists.sourceforge.net
Oggetto: Re: [Snort-sigs] no documentation about some rules


On Aug 28, 2014, at 10:40 AM, Maurizio Di Pietro (Esterna)
<m.dipietro at ...3944...> wrote:

I have one instance of snort that raises some event. I didn’t find the
documentation about their online and in opensource.tar.gz.

All event belong two categories, malware-cnc.rules and blacklist.rues

For example

27247, 28539, 28805, 29262, 24034, 30833, 23493, 30825, 30842, 30840, 30836,
30827, 30835, 31136, 30260, etc


Why there aren’t a documentation about their?

How can I find information about this event?


I’m registered user and use rules 2962.


Documentation exists in two forms.  Either as a separate doc (which is what
you are talking about), or the links within the rules themselves.  For
example, every malware-cnc rule is linked to the sample on Virustotal that
generated the traffic that the rule was written off of.


Joel Esler
Open Source Manager
Threat Intelligence Team Lead

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140829/796c3ff7/attachment.html>

More information about the Snort-sigs mailing list