[Snort-sigs] direction issue with 37053

John Ives jives at ...4131...
Thu Jan 21 16:37:51 EST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I had an alert for 37053 and when I went to look at it I noticed an
issue with either the message or the rule direction

The rule msg says it is "MALWARE-CNC Win.Trojan.Tdrop2 outbound
communication attempt," however, with the direction of the traffic
being "$EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any" and the flow
set as to_client, it doesn't seem like this is outbound at all.

Is this just a naming issue or am I missing something.

John


- -- 
- ------------------------------------------------------------------------
John Ives
Information Security & Policy			    Phone (510) 229-8676
University of California, Berkeley
- ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2

iQEcBAEBCAAGBQJWoU+vAAoJEJkidK6qbyws7loIAJLgq260ryyGj4mZbgET3y+N
/s0pt68fZuawLpMVT8hYODFWt7lAOv+yhgzEw3fkT4VL/p23q6FP7xS/om2aYQRf
XwK+31HwxarWH3ArSS2Xbgv0+gBXiyHPzEc4pD77amxyuUkjd5Yx9BWM4mEBDyWG
GxDdowG5YqylMb1mascYv/t7uafVxgLt75hzKPHrWNvl35zAc8Pu/9uF/F/+DlKp
KeZJM6ttTrr8aYiWDlUZWev4PqBmPAKRSD/CkEz2ZWOqwnu94kvE4NRlE5/l/OMO
MgrHTq6SKhkcVLvVizAeYPbtkGKTKkPIPl9PS1v6cW3Bph8d6LXZb7RPt3kfzw0=
=m3dh
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list