[Snort-sigs] Snort-sigs Digest, Vol 113, Issue 19

Alex McDonnell amcdonnell at ...435...
Tue Oct 27 15:51:03 EDT 2015


If you have a pcap Austin I'd love to take a look.

thanks
Alex McDonnell
TALOS


>
> Message: 3
> Date: Tue, 27 Oct 2015 19:07:57 +0000
> From: "Hummert, Austin" <Austin.Hummert at ...4086...>
> Subject: [Snort-sigs] question
> To: "snort-sigs at lists.sourceforge.net"
>         <snort-sigs at lists.sourceforge.net>
> Message-ID:
>         <17339606afd3401fbe7b718adef5cc3c at ...4087...>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello all,
>
> I have a question on a rule that's been firing in my environment.
>
> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (3:36222)
>
> I understand the concept of trufflehunter rules, but I'm wondering how
> other people are handling these. The packets triggering this rule appear to
> be legitimate outbound traffic, and the destination does not appear to be
> blacklisted in any way. The problem is I don't know exactly what the rule
> is looking for so it makes it difficult to verify the traffic itself.
>
> Any thoughts on trufflehunter?
>
> Thanks,
>
> Austin
>
>
>
> Confidentiality Notice:
> This message may contain confidential or privileged information, or
> information that is otherwise exempt from disclosure. If you are not the
> intended recipient, you should promptly delete it and should not disclose,
> copy or distribute it to others.
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
>
>
> ------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> End of Snort-sigs Digest, Vol 113, Issue 19
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151027/deb39da2/attachment.html>


More information about the Snort-sigs mailing list